What happened

CISA added CVE-2019-9874 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-03-26 with a remediation due date of 2025-04-16, signaling confirmed exploitation in the wild CISA KEV. The entry covers Sitecore CMS and Experience Platform (XP) and describes a deserialization flaw in the Sitecore.Security.AntiCSRF module that enables unauthenticated remote code execution (RCE) when a serialized .NET object is delivered in the HTTP POST parameter “__CSRFTOKEN” CISA KEV. NVD tracks this issue under CVE-2019-9874 and classifies it under CWE-502 (Deserialization of Untrusted Data), aligning with the RCE impact described by CISA NVD CVE-2019-9874.

Why it matters

Inclusion in the KEV catalog indicates active exploitation and prioritizes this flaw for immediate remediation across federal networks and any environment mirroring that risk profile CISA KEV. The attack is pre-authentication: any reachable Sitecore endpoint processing the AntiCSRF token can be a target, giving unauthenticated attackers a direct path to code execution per the KEV description CISA KEV. Insecure deserialization (CWE-502) is a high-value class because crafted objects can trigger gadget chains during deserialization, yielding arbitrary code execution in the application context NVD CVE-2019-9874. MITRE’s CVE record affirms the vulnerability’s identity and coordinates tracking across vendors and tools, ensuring defenders and scanners reference the same underlying issue MITRE CVE.

Technical detail

According to CISA, the Sitecore.Security.AntiCSRF module will deserialize a .NET object supplied by a client in the “__CSRFTOKEN” POST parameter, allowing untrusted data to be processed as a live object graph CISA KEV. This is a classic CWE-502 scenario: untrusted serialized content flows into a deserializer without strict validation, enabling attacker-controlled object behavior during rehydration NVD CVE-2019-9874. The outcome, as stated by CISA, is unauthenticated arbitrary code execution when the malicious payload is processed by the vulnerable module CISA KEV.

While implementation specifics aren’t detailed in the public records, the primitive is clear: the AntiCSRF token path accepts serialized .NET input and hands it to server-side logic, which is precisely the pattern CWE-502 warns about for object injection and gadget-chain abuse NVD CVE-2019-9874. The affected product line is Sitecore CMS and Experience Platform (XP), as identified in the KEV catalog and the CVE metadata CISA KEV. The authoritative CVE definition is maintained by MITRE to ensure consistent identification across advisories and tooling MITRE CVE.

Defense

CISA’s required action is unambiguous: apply vendor mitigations as instructed, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV. In practice, that means prioritizing upgrades or patches provided by Sitecore for the AntiCSRF module path associated with CVE-2019-9874 NVD CVE-2019-9874. For organizations under federal requirements, KEV entries carry a fixed remediation date; failure to meet the 2025-04-16 deadline increases risk and non-compliance exposure CISA KEV.

Interim containment and detection recommendations:

• Restrict exposure: limit internet reachability to Sitecore administrative and content endpoints while remediation is underway, consistent with KEV prioritization of actively exploited flaws CISA KEV.
• Monitor requests: create detections for POST requests where the “__CSRFTOKEN” parameter is present and appears to contain serialized object payloads, as the KEV description calls out this exact vector CISA KEV.
• Asset focus: enumerate Sitecore CMS and Experience Platform (XP) instances and correlate with CVE-2019-9874 to drive targeted patching and validation NVD CVE-2019-9874.

Finally, update vulnerability scanners and SBOM inventories to ensure CVE-2019-9874 is tracked across environments, using the canonical CVE record as the source of truth MITRE CVE.

Lyrie Verdict

This is a textbook pre-auth deserialization RCE routed through a CSRF token field—high-signal for autonomous detection. Lyrie instruments request-path semantics and payload shape to flag serialized-object artifacts in user-controlled parameters and kills the request before the app deserializes it, aligning with CWE-502 risk patterns documented for CVE-2019-9874 NVD CVE-2019-9874. We bind detections to the specific vector named by CISA—“__CSRFTOKEN” in POST—and cross-check against exploit-like object signatures to enforce a deny-first policy during active exploitation windows CISA KEV. Net effect: machine-speed prevention at the ingress layer while your teams patch, with continuous validation tied to the authoritative CVE record MITRE CVE.