XM Vulnerability Exploit Attempts

Index

This post is an analysis of hacker reconnaissance and exploit attempts related to the 2023 critical security bulletins. Insights can be extracted for existing and future XM/XP implementations.

I have been sitting on this data for 2 years. Now that the dust has settled and everyone has had plenty of time to patch their environments, I'm finally able to share it with you. Due to the amount of analysis and writing that this post required, I used Cursor to help me write it (with a lot of babysitting).

This comprehensive analysis will walk you through:

• Infrastructure Details: Which environments were targeted and which were not
• Vulnerability Specifics: Technical breakdowns of CVE-2023-33651 and CVE-2023-35815
• Attack Patterns: Real-world exploit attempts captured in IIS logs
• IP Intelligence: Detailed information about the attacking IPs, their locations, and ISPs
• Temporal Analysis: When attacks occurred and how they evolved over time
• Defensive Insights: What you can learn to better protect your own implementations

The data presented here is from an actual production system, providing a unique window into how attackers operate in the wild.

The following table illustrates the infrastructure that was in place at the time (now decommissioned):

To the best of my knowledge, patches and mitigations were in place prior to the attack patterns being observed in the logs.

The 2023/2024 security bulletins addressed several critical vulnerabilities in Sitecore XM/XP. Understanding these vulnerabilities is essential for appreciating the attack patterns observed in the logs. This section provides technical details on the two primary vulnerabilities that were actively exploited by threat actors.

The relevant security bulletins are:

• SC2023-001-568150: Related to the MVC Device Simulator vulnerability which might allow IIS Authorization Rules Bypass.
• SC2023-002-576660: Related to remote code execution vulnerability.
• SC2023-003-587441 (supersedes the prior two): Addresses Critical (582720) and High (584731) severity vulnerabilities in Sitecore software. Successful exploitation of the related vulnerabilities might lead to remote code execution vulnerability and non-authorized access to information.
• SC2024-002-624693: Related to remote code execution through insecure deserialization (CVE-2025-27218).

Security Bulletin: SC2023-001-568150
Announcement Date: March 28, 2023
Superseded By: SC2023-003-587441 (June 20, 2023)
CVE: CVE-2023-33651
Severity: Critical

References:

• KB1002925
• KB1003018 (superseding bulletin)
• Assetnote Research

The DeviceSimulator vulnerability exploits the Mobile Device Simulator feature in Sitecore, which allows content authors to preview how their site appears on different devices. The vulnerability exists in the Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController component and can be exploited through path manipulation.

The vulnerable endpoint is typically accessed at:

1. Path Traversal for File Read

Attackers can use the previewPath parameter to read arbitrary files from the webroot by bypassing IIS authorization checks. The most commonly targeted file is the license file, which can reveal sensitive information about the Sitecore installation:

The vulnerability allows reading files that would normally be protected by IIS authorization rules, because the preview functionality processes the path in a way that circumvents these protections.

2. Chaining with Execute.aspx

More sophisticated attacks observed in the logs attempted to chain this vulnerability with access to Execute.aspx, a powerful Sitecore administrative interface:

If successful, this chain could enable arbitrary code execution, as Execute.aspx provides direct access to Sitecore's backend operations.

The vulnerability relies on a combination of factors:

1. IIS Authorization Bypass: The request is processed through the MVC pipeline in a way that bypasses standard IIS authentication and authorization checks
2. Path Manipulation: The previewPath parameter is not properly sanitized, allowing traversal to protected resources
3. Privileged Context: The preview functionality runs in a context that has access to restricted paths

• Sitecore Experience Platform 9.0 rev. 171002 (Initial Release) +
• Content Delivery, Content Management, Reporting, Processing, EXM Dispatch

Exploitation in the wild began remarkably quickly after the details of the vulnerabilities were made public:

• March 28, 2023: Sitecore publishes SC2023-001-568150
• May 10, 2023: Assetnote publishes technical exploitation details
• May 12, 2023: First observed exploit attempts (2 days after technical disclosure)

This rapid weaponization highlights the importance of applying security patches before technical details become public.

Security Bulletin: Not explicitly numbered in logs, but related to XAML deserialization vulnerabilities
Known Since: Pre-2023 (various iterations)
CVE: Related to CVE-2021-42237 and similar deserialization issues
Severity: Critical

References:

• Code White Research
• Vidoc Security

The sitecore_xaml.ashx vulnerability is a deserialization attack that exploits Sitecore's XAML handling capabilities. XAML (eXtensible Application Markup Language) is a declarative XML-based language used in .NET applications, and when user-controlled XAML is deserialized without proper validation, it can lead to remote code execution.

The vulnerable endpoint is:

1. XAML Injection with TemplateParser

The attack exploits ASP.NET's TemplateParser.ParseControl method through XAML deserialization. By crafting malicious XAML that invokes this method, attackers can execute arbitrary code:

2. The Deserialization Chain

The exploitation chain works as follows:

1. Attacker sends malicious XAML to sitecore_xaml.ashx
2. Sitecore processes the XAML without adequate validation
3. The XAML invokes TemplateParser.ParseControl via reflection
4. This allows instantiation of arbitrary .NET types
5. The attacker chains gadgets to achieve code execution

3. Copy-Paste Exploitation

A significant observation from the December 31, 2023 logs is that attackers used the exact payload from the Code White research blog, including the same marker string Z03Oq1. This indicates script-kiddie-level exploitation where attackers copy published proof-of-concept code without modification.

The exception logged on staging reveals the attack was caught by Sitecore's reflection protections:

This suggests that while the infrastructure had protections in place, the vulnerability was still being actively probed.

1. Remote Code Execution: Successful exploitation grants arbitrary code execution on the web server
2. No Authentication Required: The endpoint can be accessed without authentication on vulnerable systems
3. Widespread Targeting: The logs show consistent, global exploitation attempts across multiple IP ranges

The high level timeline is as follows:

Specifics:

• March 28, 2023: Sitecore Security Bulletin SC2023-001-568150 (DeviceSimulator)
  KB1002925 is posted.

• May 10, 2023: Exploit Details Published
  Assetnote research published technical details: bypass IIS authorization … DeviceSimulator
  Threat actor reconnaissance began just two days after publication.

• May 12, 2023: STAGING: First DeviceSimulator Requests
  A GET request to .../SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview with previewPath=/App_Data/license.xml (returned a 404) indicates early reconnaissance for the DeviceSimulator vector.

• May 15, 2023: STAGING: Additional DeviceSimulator Requests
  Repeated requests to previewPath=/App_Data/license.xml with varied user-agents (all returned 404).

• May 17, 2023: STAGING: Expanded DeviceSimulator Variants
  previewPath variations including /App_Data/license.xml and /Data/license.xml, including escaped forms (all returned 404).

• June 20, 2023: Sitecore Security Bulletin SC2023-003-587441
  KB1003018 posted.
  This bulletin superseded the March bulletin KB1002925 (SC2023-001-568150), as in, if the permanent solution from this bulletin was applied, the solution specified in the previous bulletin was no longer necessary.

• July 7, 2023: PROD CD2: SimulatorController Targeting Execute.aspx
  Multiple GET/POST requests to .../SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview using previewPath=/sitecore/shell/Applications/Content Manager/Execute.aspx?cmd=... (returned 404/301).
  Interpretation: Targeting DeviceSimulator preview path to reach Execute.aspx command surface.

• October 11, 2023: STAGING: sitecore_xaml Activity With site=site2
  Series of calls to sitecore_xaml.ashx/... with follow-up to /sitecore/service/notfound.aspx?item=/sitecore_xaml&...&site=site2.
  These entries are particularly interesting because of the inclusion of site2 in the site param. This indicates manual work by the hacker or more fine tuned automation of pen testing.

  
  

  _5

  2023-10-11 15:10:58 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 80 - 20.222.39.209 python-requests/2.31.0 - 301 0 0 203

  _5

  2023-10-11 15:10:58 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 20.222.39.209 python-requests/2.31.0 - 302 0 0 171

  _5

  2023-10-11 15:10:58 <redacted_stage_cm_ip> GET /sitecore/service/notfound.aspx item=%2Fsitecore_xaml&user=extranet%5CAnonymous&site=site2 443 - 20.222.39.209 python-requests/2.31.0 - 404 8 0 156

  _5

  2023-10-11 15:10:58 <redacted_stage_cm_ip> GET /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 20.222.39.209 python-requests/2.31.0 - 302 0 0 173

  _5

  2023-10-11 15:10:58 <redacted_stage_cm_ip> GET /sitecore/service/notfound.aspx item=%2Fsitecore_xaml&user=extranet%5CAnonymous&site=site2 443 - 20.222.39.209 python-requests/2.31.0 - 404 8 0 156

  
  
  
  

  _9

  2023-10-11 12:47:42 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 80 - 20.222.39.209 python-requests/2.31.0 - 301 0 0 221

  _9

  2023-10-11 12:47:42 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 20.222.39.209 python-requests/2.31.0 - 302 0 0 203

  _9

  2023-10-11 12:47:42 <redacted_stage_cm_ip> GET /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 20.222.39.209 python-requests/2.31.0 - 302 0 0 173

  _9

  2023-10-11 13:47:53 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 80 - 20.222.39.209 python-requests/2.31.0 - 301 0 0 203

  _9

  2023-10-11 13:47:53 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 20.222.39.209 python-requests/2.31.0 - 302 0 0 218

  _9

  2023-10-11 13:47:53 <redacted_stage_cm_ip> GET /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 20.222.39.209 python-requests/2.31.0 - 302 0 0 203

  _9

  2023-10-11 15:10:58 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 80 - 20.222.39.209 python-requests/2.31.0 - 301 0 0 203

  _9

  2023-10-11 15:10:58 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 20.222.39.209 python-requests/2.31.0 - 302 0 0 171

  _9

  2023-10-11 15:10:58 <redacted_stage_cm_ip> GET /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 20.222.39.209 python-requests/2.31.0 - 302 0 0 173

  
  

• October 11, 2023: PROD CM: Earliest sitecore_xaml Attempts
  POST to sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index (403).

  
  

  _4

  2023-10-11 07:32:22 <redacted_prod_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 167.99.48.250 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/41.0.2227.0+Safari/537.36 - 403 0 0 15

  _4

  2023-10-11 10:20:31 <redacted_prod_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 115.74.115.124 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/35.0.2117.157+Safari/537.36 - 403 0 0 273

  _4

  2023-10-11 11:31:58 <redacted_prod_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 115.74.115.124 Mozilla/5.0+(Windows+NT+10.0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/89.0.4389.114+Safari/537.36 - 403 0 0 266

  _4

  2023-10-11 18:57:02 <redacted_prod_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index x=dir 443 - 1.54.155.200 Mozilla/5.0+(Windows+NT+6.2;+WOW64)+AppleWebKit/537.36+(KHTML+like+Gecko)+Chrome/44.0.2403.155+Safari/537.36 - 403 0 0 265

  
  

• October 17, 2023: Continued sitecore_xaml Attempts
  Additional POST attempts on STAGING endpoint:

  
  

  _2

  2023-10-17 06:22:41 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 193.160.247.15 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/41.0.2226.0+Safari/537.36 - 302 0 0 169

  _2

  2023-10-17 06:22:44 <redacted_stage_cm_ip> POST /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index - 443 - 193.160.247.15 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.77+Safari/537.36 - 302 0 0 184

  
  

• October 22, 2023: PROD CM: sitecore_xaml Attempt
  POST attempt (403).

• November 2, 2023: PROD CM: sitecore_xaml Attempt
  POST attempt (403).

• December 4, 2023: PROD CM: sitecore_xaml Attempt
  POST attempt (403).

• December 14, 2023: STAGING CM and PROD CM: Initial Probes
  Requests to / (301) and /default.js (200) using curl and python-requests.

• December 18, 2023: STAGING CM and PROD CM: Follow-up Probes
  Repeat of / (301) and /default.js (200) probe pattern.

• December 31, 2023: STAGING CM: Notable Exception Captured
  Exception AccessDeniedException triggered by sitecore_xaml.ashx payload (see analysis in Code White). This one is interesting because the arbitrary string that was injected is the exact same one as the post that demonstrated the exploit. The hacker simply copy and pasted it. This request was performed only on STAGING CM and not on any of the other sites / environments.

  
  

  _22

  2023-12-31 08:14:03,911 ERROR

  _22

  Unhandled exception

  _22

  Sitecore.Exceptions.AccessDeniedException Sitecore.Reflection.MethodFilter in Filter

  _22

  Calling System.Web.UI.TemplateControl.ParseControl method through reflection is forbidden.

  _22

  ASP.global_asax

  _22

  _22

  Unhandled exception

  _22

  User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36

  _22

  IP: 86.106.158.99

  _22

  Path and Query: /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index

  _22

  Posted Values: __ISEVENT: 1; __SOURCE: ; __PARAMETERS: ParseControl("<%@Register

  _22

  TagPrefix = 'x'

  _22

  Namespace = 'System.Runtime.Remoting.Services'

  _22

  Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'

  _22

  %>

  _22

  <x:RemotingService runat='server'

  _22

  Context-Response-ContentType='Z03Oq1'

  _22

  />

  _22

  ");

  _22

  ASP NET SessionID: (4yz4dwhgz3ejzd0mjzlor2tv)

  _22

  Culture: N/A

  _22

  Host: authoring-cm.mysite.com

  
  

  The IP address 86.106.158.99 is based out of Switzerland, so I already know that this is probably a hacker, given that the site I was performing this analysis on was unlikely to have legitimate visitors from Switzerland. A HTTP request to the IP returns a Ubuntu splash page. It is still up and running as of November 2025.

• December 31, 2023: STAGING CM: IIS POST to sitecore_xaml
  POST to sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index (302).

• December 31, 2023: PROD CM: sitecore_xaml POST Attempt
  POST attempt to sitecore_xaml.ashx/... (403).

• January, 2024: Probing Continues
  General probing shows up in the logs again on January 9, 10, 11, 12.

• January 16, 2024: PROD CM: Additional sitecore_xaml Attempts
  Multiple POST attempts (403).

• January 18, 2024: PROD CM: Additional sitecore_xaml Attempt
  POST attempt (403).

• January 20 and 21 2024
  Probing continues.

• January 24, 2024: DeviceSimulator Preview Requests Return 401
  Request to .../SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview?previewPath=/App_Data/license.xml (401).

• January 28, 2024: PROD CM: DeviceSimulator Preview Request 401

  • Evidence: previewPath=/App_Data/license.xml (401).
  • Reference: KB1002925

• January 28, 2024: Additional DeviceSimulator Preview Requests 401
  Repeated 401 responses for previewPath=/App_Data/license.xml.

• January 29, 2024: Additional DeviceSimulator Preview Requests 401
  Continued 401 responses for previewPath=/App_Data/license.xml.

• February 3, 2024: PROD CM: Additional sitecore_xaml Attempt
  POST attempt (403).

• February 4, 2024: Additional Countermeasures Applied
  IP address blocks added and IIS rules updated.

From the logs, we can observe:

• Frequency: Sustained attacks from October 2023 through February 2024
• Global Sources: IP addresses from multiple countries (Switzerland, China, Australia, Pakistan, various US locations)
• Automated Nature: Consistent user agent patterns suggesting automated scanning tools
• Response Codes:
  • 403 on PROD CM (properly protected)
  • 302 on STAGING (redirecting, potentially vulnerable)
  • 404 in some cases (handler not found or disabled)

• Sitecore Experience Platform 8.x through 10.2 (specific versions vary by configuration)
• Systems with XAML preview functionality enabled
• Particularly dangerous on CM servers exposed to the internet

In this section, we will detail the activity of the offending IPs. Search your logs for these, as they are directly associated with reconnaissance/exploit attempts.

IPs that appear in log snippets within this post:

Other IPs that were associated with probing/attacks but do not appear in log snippets within this post:

This IP attempted to exploit hundreds of different vulnerabilities, and it did so slowly and with altered user agents. This IP is unique in that not only did it attempt to exploit all of the usual WordPress/PHP vulnerabilities, but it also attempted to exploit Sitecore-specific vulnerabilities. This indicates that Sitecore exploits are beginning to be included in common exploit kits, signalling a sign of maturity in the exploit kit industry and a sign that Sitecore is becoming more popular.

This IP address exhibited systematic reconnaissance and exploitation attempts across multiple dates and servers. The activity pattern suggests automated scanning with deliberate variation in user agents to evade detection.

Activity Timeline:

• December 14, 2023: Initial reconnaissance on STAGE CM

  • 21:29:35 UTC - GET request to /
  • 21:29:35 UTC - GET request to /default.js
  • User agents: curl/7.81.0 and python-requests/2.25.1
  • Responses: 301 redirect for root, 200 success for default.js

• December 18, 2023: Repeated reconnaissance on STAGE CM

  • 21:30:55 UTC - GET request to /
  • 21:30:55 UTC - GET request to /default.js
  • User agents: curl/7.81.0 and python-requests/2.25.1
  • Responses: 301 redirect for root, 200 success for default.js

• December 31, 2023: XAML Tutorials vulnerability exploitation attempt on STAGE CM

  • 13:14:02 UTC - HEAD request to /
  • 13:14:04 UTC - POST to /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index
  • User agents: Varied Mozilla/5.0 Chrome user agents (Windows NT 6.1 and NT 5.1)
  • Responses: 301 redirect for root, 302 redirect for XAML request

• January 21, 2024: Multiple DeviceSimulator exploit attempts on PROD CD2

  • 13:03:52 UTC - Four consecutive GET requests to /api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview with previewPath=/App_Data/license.xml
  • User agent: curl/7.81.0
  • All requests returned 301 redirects

• January 28, 2024: Expanded reconnaissance on PROD CD2

  • 08:40:03 UTC - Initial probe to root path /
  • 08:40:04 UTC - Asset enumeration: /default.js and /default.css
  • 08:40:04 UTC - DeviceSimulator exploit attempt with previewPath=/App_Data/license.xml
  • User agents varied between curl/7.81.0 and python-urllib3/2.1.0
  • All requests returned 301 redirects

Attack Characteristics:

• Primary Targets:
  • XAML Tutorials vulnerability (SC2022-003-510463) - December 31, 2023
  • DeviceSimulator vulnerability (SC2023-001-568150 / SC2023-003-587441) - January 2024
• Objectives:
  • Attempted to exploit XAML Tutorials deserialization vulnerability
  • Attempted to access /App_Data/license.xml via the DeviceSimulator preview path bypass
• User Agents: Alternated between curl/7.81.0, python-requests/2.25.1, python-urllib3/2.1.0, and various Chrome user agents to appear as different tools
• Timing: Requests spaced seconds apart, suggesting manual testing or throttled automation
• Servers Targeted: STAGE CM (December 2023), PROD CD2 (January 2024)
• Success Rate: 0% - All attempts resulted in redirects (301/302), indicating vulnerabilities were patched or not present

Interpretation:

The attacker demonstrated knowledge of multiple Sitecore vulnerabilities and followed a methodical progression from initial reconnaissance to targeted exploitation attempts. The activity began with basic asset enumeration on STAGE CM in mid-December, escalated to a XAML Tutorials exploitation attempt on December 31, then shifted focus to the production environment (PROD CD2) in January with DeviceSimulator attacks. The variation in user agents and the progression from basic reconnaissance (checking root, JS files) to targeted exploitation attempts indicates a sophisticated, planned approach. The consistent redirect responses suggest proper security controls and patching were in place across both environments.

This IP address engaged in focused DeviceSimulator vulnerability exploitation attempts during a concentrated time window in May 2023. The activity demonstrates systematic path variation testing, attempting multiple encoding and path manipulation techniques to bypass security controls.

Activity Timeline:

• May 18, 2023 - PROD CM

  • 04:04:25 UTC - Initial DeviceSimulator exploit attempt via HTTP (port 80)
    • Target: /api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview
    • Path variations tested: /App_Data/license.xml, \/App_Data/license.xml (escaped forward slash)
    • Response: 301 redirect
  • 04:04:29 UTC - Continued path manipulation testing
    • Path variations tested: /Data/license.xml, \/Data/license.xml (removed App_ prefix)
    • Response: 301 redirect
  • User agent: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/112.0.5615.138+Safari/537.36

• May 18, 2023 - STAGING CM

  • 08:33:21 UTC - DeviceSimulator exploit attempts via HTTP (port 80)
    • Path variations tested: \/App_Data/license.xml, /Data/license.xml
    • Response: 404 Not Found
  • 08:34:17 UTC - Additional path variation attempts
    • Path variations tested: /Data/license.xml, \/Data/license.xml
    • Response: 404 Not Found
  • User agent: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/112.0.5615.138+Safari/537.36

• May 18, 2023 - PROD CM

  • 12:11:14 UTC - DeviceSimulator exploit attempt via HTTPS (port 443)
    • Target: /api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview
    • Path: /App_Data/license.xml
    • Response: 302 redirect
    • User agent: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/112.0.5615.138+Safari/537.36

Attack Characteristics:

• Primary Target: DeviceSimulator vulnerability (SC2023-001-568150 / SC2023-003-587441)
• Objective: Attempted to access /App_Data/license.xml via the DeviceSimulator preview path bypass
• Tactics: Systematic path manipulation testing using multiple encoding variations:
  • Standard path: /App_Data/license.xml
  • Escaped forward slash: \/App_Data/license.xml
  • Path traversal variation: /Data/license.xml (removed App_ prefix)
  • Escaped path traversal: \/Data/license.xml
• User Agent: Consistent use of modern Chrome 112 user agent (Chrome/112.0.5615.138) - more believable than older browser versions
• Protocols: Attempted both HTTP (port 80) and HTTPS (port 443)
• Servers Targeted:
  • PROD CM - 5 unique request patterns
  • STAGING CM - 4 unique request patterns
• Success Rate: 0% - All attempts resulted in 301 redirects (PROD) or 404 errors (STAGING), indicating the vulnerability was not successfully exploited
• Timing Pattern: Three distinct attack windows within the same day:
  • 04:04 UTC - PROD CM via HTTP
  • 08:33-08:34 UTC - STAGING CM via HTTP
  • 12:11 UTC - PROD CM via HTTPS

STAGING CM:

PROD CM:

Interpretation:

The attacker's methodology demonstrates an understanding of path manipulation techniques commonly used to bypass input validation. The systematic testing of multiple path variations (/App_Data/license.xml, \/App_Data/license.xml, /Data/license.xml, \/Data/license.xml) suggests the use of an automated exploit script that iteratively tries different encoding and path traversal techniques. The attacker targeted both staging and production environments within hours of each other, indicating either reconnaissance to identify which environment was more vulnerable, or systematic exploitation attempts across all discovered Sitecore instances.

The use of a modern Chrome 112 user agent is notable, as it's more believable than older browser versions commonly used in automated attacks. The rapid-fire nature of the requests (multiple attempts within seconds) combined with the path variation testing indicates automated tooling rather than manual testing.

The varying response codes (301 redirects on PROD, 404 errors on STAGING) suggest different security configurations or vulnerability states between the environments, but in both cases, the attacks were unsuccessful in accessing the target file.

This IP address, likely operated by the same threat actor or group as 94.140.11.43 (evidenced by identical user agents and attack methodology), conducted similar DeviceSimulator exploitation attempts one day earlier on May 17, 2023. The activity demonstrates the same systematic path variation testing approach with multiple encoding techniques.

Activity Timeline:

• May 17, 2023 - PROD CM

  • 15:56:50 UTC - Initial DeviceSimulator exploit attempts via HTTP (port 80)
    • Target: /api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview
    • Path variations tested: /App_Data/license.xml, \/App_Data/license.xml (escaped forward slash)
    • Response: 301 redirect
  • 15:56:51 UTC - Path traversal variations
    • Path variations tested: /Data/license.xml, \/Data/license.xml (removed App_ prefix)
    • Response: 301 redirect
  • User agent: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/112.0.5615.138+Safari/537.36

• May 17, 2023 - STAGING CM

  • 17:27:36 UTC - DeviceSimulator exploit attempts via HTTP (port 80)
    • First wave: /App_Data/license.xml, \/App_Data/license.xml
    • Response: 404 Not Found
  • 17:27:37 UTC - Path traversal testing
    • Path variations: /Data/license.xml, \/Data/license.xml
    • Response: 404 Not Found
  • 17:27:57 UTC - Repeated testing sequence (same pattern as 17:27:36)
    • Path variations: /App_Data/license.xml, \/App_Data/license.xml
    • Response: 404 Not Found
  • 17:27:59 UTC - Repeated path traversal (same pattern as 17:27:37)
    • Path variations: /Data/license.xml, \/Data/license.xml
    • Response: 404 Not Found
  • User agent: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/112.0.5615.138+Safari/537.36

• May 17, 2023 - PROD CM

  • 18:29:31 UTC - DeviceSimulator exploit attempts via HTTPS (port 443)
    • Target: /api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview
    • Path variations tested: /App_Data/license.xml, \/App_Data/license.xml
    • Response: 302 redirect
  • 18:29:33 UTC - Path traversal testing via HTTPS
    • Path variations: /Data/license.xml, \/Data/license.xml
    • Response: 302 redirect
  • User agent: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/112.0.5615.138+Safari/537.36

Attack Characteristics:

• Primary Target: DeviceSimulator vulnerability (SC2023-001-568150 / SC2023-003-587441)
• Objective: Attempted to access /App_Data/license.xml via the DeviceSimulator preview path bypass
• Tactics: Identical to 94.140.11.43 - systematic path manipulation using encoding variations:
  • Standard path: /App_Data/license.xml
  • Escaped forward slash: \/App_Data/license.xml
  • Path traversal variation: /Data/license.xml
  • Escaped path traversal: \/Data/license.xml
• User Agent: Identical to 94.140.11.43 - Chrome 112 user agent (Chrome/112.0.5615.138)
• Protocols: Attempted both HTTP (port 80) and HTTPS (port 443)
• Servers Targeted:
  • PROD CM - 8 unique request patterns across three sessions
  • STAGING CM - 8 unique request patterns (with duplicate testing sequences)
• Success Rate: 0% - All attempts resulted in 301/302 redirects (PROD) or 404 errors (STAGING)
• Timing Pattern: Three distinct attack windows:
  • 15:56 UTC - PROD CM via HTTP
  • 17:27 UTC - STAGING CM via HTTP (with repeated testing at 17:27:57)
  • 18:29 UTC - PROD CM via HTTPS

IIS Log Entries:

STAGING CM:

PROD CM:

Interpretation:

This IP address exhibits virtually identical attack patterns to 94.140.11.43, strongly suggesting they are part of the same threat actor's infrastructure or exploitation campaign. The identical user agent string (Chrome 112.0.5615.138), same path manipulation techniques, and sequential attack dates (May 17 for this IP, May 18 for 94.140.11.43) indicate a coordinated reconnaissance campaign.

Notable patterns include:

• Systematic progression: The attacker tested HTTP first, then HTTPS, methodically working through protocol options
• Repeated testing: On STAGING, the attacker repeated the exact same test sequence at 17:27:57 (20 seconds after the initial attempts), possibly to confirm initial 404 responses or test for rate limiting
• Multi-environment targeting: Both PROD and STAGING were tested within hours, showing comprehensive reconnaissance of the entire infrastructure
• Timing coordination: The attacks occurred across a ~3 hour window (15:56-18:29 UTC), suggesting either manual operation or throttled automated scanning

The 94.140.11.x subnet appears to be dedicated to Sitecore vulnerability exploitation, with both IPs using the same modern Chrome user agent and identical attack methodologies. The consistent 301/302/404 responses indicate the attacks were unsuccessful, but the systematic nature suggests the threat actors were building a target database for future exploitation attempts.

This IP address conducted limited but targeted DeviceSimulator vulnerability exploitation attempts in late November 2023. Unlike the more aggressive scanning patterns of other IPs, this attacker performed minimal reconnaissance with varied user agents, suggesting either a more cautious approach or testing of specific exploit variations.

Activity Timeline:

• November 27, 2023 - STAGING CM

  • 11:38:08 UTC - Initial DeviceSimulator exploit attempt via HTTPS (port 443)
    • Target: /api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview
    • Path: /App_Data/license.xml
    • Response: 404 Not Found
    • User agent: Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/58.0.3029.81+Safari/537.36
  • 11:38:29 UTC - Follow-up attempt with different user agent (21 seconds later)
    • Path: /App_Data/license.xml
    • Response: 404 Not Found
    • User agent: Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/58.0.3029.110+Safari/537.36+Edge/16.16299

• November 27, 2023 - PROD CM

  • 12:31:55 UTC - DeviceSimulator exploit attempt via HTTPS (port 443)
    • Target: /api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview
    • Path: /App_Data/license.xml
    • Response: 401 Unauthorized
    • User agent: Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/58.0.3029.110+Safari/537.36+Edge/16.16299

Attack Characteristics:

• Primary Target: DeviceSimulator vulnerability (SC2023-001-568150 / SC2023-003-587441)
• Objective: Attempted to access /App_Data/license.xml via the DeviceSimulator preview path bypass
• Tactics: Minimal, focused testing:
  • Only tested standard path /App_Data/license.xml (no encoding variations or path traversal attempts)
  • No HTTP attempts - exclusively used HTTPS (port 443)
  • User agent variation between attempts
• User Agents:
  • Chrome 58 on Windows 7 64-bit: Chrome/58.0.3029.81 (older, more suspicious)
  • Chrome 58 with Edge rendering engine: Chrome/58.0.3029.110+Safari/537.36+Edge/16.16299
• Protocol: HTTPS only (port 443)
• Servers Targeted:
  • STAGING CM - 2 requests within 21 seconds
  • PROD CM - 1 request approximately 53 minutes after STAGING attempts
• Success Rate: 0% - All attempts blocked (404 on STAGING, 401 on PROD)
• Timing Pattern:
  • 11:38 UTC - Two rapid STAGING attempts (21 seconds apart)
  • 12:31 UTC - Single PROD attempt (~53 minutes later)

IIS Log Entries:

STAGING CM:

PROD CM:

Interpretation:

This IP address demonstrates a notably different attack pattern compared to the 94.140.11.x subnet IPs. Key distinguishing characteristics include:

• Minimal testing: Only attempted the basic path without encoding variations or path traversal attempts, suggesting either:

  • A more targeted approach (testing only the most common exploitation method)
  • A less sophisticated attacker
  • Reconnaissance to identify vulnerable targets before deploying more aggressive techniques

• User agent switching: The attacker changed user agents between the first and second STAGING attempts, possibly testing whether user agent filtering was in place or attempting to appear as different visitors.

• Temporal spacing: The ~53-minute gap between STAGING and PROD attempts is unusual. Most automated scanners would test both environments in rapid succession. This delay suggests either:

  • Manual testing rather than automated scanning
  • Rate limiting in the attacker's toolset
  • Analysis of STAGING results before proceeding to PROD

• Chrome 58 user agent: The use of Chrome 58 (released in 2017) is relatively dated compared to the Chrome 112 user agents used by the 94.140.11.x subnet. This older version might be:

  • An attempt to blend in with legacy systems
  • Evidence of an older exploit toolkit
  • Deliberately outdated to avoid modern security detection rules

• Authentication challenges: The 401 response on PROD (vs 404 on STAGING) indicates PROD had authentication requirements that STAGING lacked, showing proper defense-in-depth security configurations.

The restrained nature of this attack - only three requests total, no encoding variations, no HTTP attempts - could indicate a "low and slow" reconnaissance strategy designed to avoid triggering automated security alerts. Alternatively, this could be an opportunistic scan from a less sophisticated attacker testing publicly documented exploitation techniques.

This IP address conducted multiple sitecore_xaml.ashx exploitation attempts in October 2023, demonstrating a methodical approach to testing the XAML deserialization vulnerability across both HTTP and HTTPS protocols.

Activity Timeline:

• October 11, 2023 - STAGING CM (Multiple Sessions)
  • 12:47:42 UTC - Initial wave of sitecore_xaml exploitation attempts
    • POST to /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index via HTTP (port 80)
    • Response: 301 redirect
    • POST to same path via HTTPS (port 443)
    • Response: 302 redirect
    • GET request to same path via HTTPS
    • Response: 302 redirect
    • User agent: python-requests/2.31.0
  • 13:47:53 UTC - Second wave (~1 hour later)
    • POST via HTTP → 301 redirect
    • POST via HTTPS → 302 redirect
    • GET via HTTPS → 302 redirect
    • User agent: python-requests/2.31.0
  • 15:10:58 UTC - Third wave (~1.5 hours after second wave)
    • POST via HTTP → 301 redirect
    • POST via HTTPS → 302 redirect
    • GET to /sitecore/service/notfound.aspx with parameters → 404
    • GET to /sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index → 302 redirect
    • GET to /sitecore/service/notfound.aspx again → 404
    • User agent: python-requests/2.31.0

Attack Characteristics:

• Primary Target: XAML deserialization vulnerability (sitecore_xaml.ashx)
• Objective: Attempted to exploit the Sitecore XAML handler for remote code execution
• Tactics:
  • Systematic testing of both POST and GET methods
  • Protocol testing (HTTP port 80 and HTTPS port 443)
  • Multiple attempts spaced approximately 1 hour apart
  • Testing of error handling pages (/sitecore/service/notfound.aspx)
• User Agent: Consistent python-requests/2.31.0 (Python automation library)
• Protocols: Both HTTP (port 80) and HTTPS (port 443)
• Server Targeted: STAGING CM exclusively
• Success Rate: 0% - All attempts resulted in 301/302 redirects or 404 errors
• Timing Pattern: Three attack windows throughout the day:
  • 12:47 UTC - Initial testing
  • 13:47 UTC - Retry after 1 hour
  • 15:10 UTC - Final attempt after ~2.5 hours from start

IIS Log Entries:

STAGING CM:

Interpretation:

This IP demonstrates characteristics of automated scanning with deliberate timing delays between attempts. Key observations:

• Automated Python scripting: The consistent use of python-requests/2.31.0 indicates a custom Python script rather than an off-the-shelf exploit tool
• Methodical protocol testing: Each attack wave tested both HTTP and HTTPS, suggesting the script was designed to identify which protocol was vulnerable
• Error page probing: The requests to /sitecore/service/notfound.aspx in the final wave indicate the attacker was analyzing error responses to gather information about the application structure
• Timing delays: The ~1 hour gaps between attack waves suggest either:
  • Rate limiting to avoid detection
  • Manual triggering of automated scripts
  • Batch processing with scheduled intervals
• Persistent targeting: Three separate attempts over 2.5 hours shows determination despite consistent failure responses

The IP address 20.222.39.209 is registered to Microsoft Azure, indicating the attacker was using cloud infrastructure (likely compromised or ephemeral instances) to conduct their reconnaissance. The XAML vulnerability targeted is older than the DeviceSimulator vulnerability, suggesting this attacker was working through a checklist of known Sitecore exploits.

This IP address, registered to Amazon AWS in Singapore, conducted DeviceSimulator exploitation attempts across multiple dates in January 2024, targeting both STAGING and PROD environments with user agent variations.

Activity Timeline:

• January 4, 2024 - PROD CM

  • 17:54:42 UTC - Initial DeviceSimulator exploit attempt via HTTPS (port 443)
    • Path: /App_Data/license.xml
    • Response: 401 Unauthorized
    • User agent: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/58.0.3029.110+Safari/537.3

• January 4, 2024 - STAGING CM

  • 22:08:26 UTC - First STAGING attempt via HTTPS (~4 hours after PROD)
    • Path: /App_Data/license.xml
    • Response: 404 Not Found
    • User agent: Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/58.0.3029.81+Safari/537.36 (Windows 7)
  • 22:09:38 UTC - Follow-up attempt (72 seconds later)
    • Path: /App_Data/license.xml
    • Response: 404 Not Found
    • User agent: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/58.0.3029.110+Safari/537.3 (Windows 10)

• January 5, 2024 - PROD CM

  • 02:47:35 UTC - Final attempt via HTTPS (~9 hours after STAGING)
    • Path: /App_Data/license.xml
    • Response: 401 Unauthorized
    • User agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_12_6)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/58.0.3029.110+Safari/537.36 (Mac OS X)

Attack Characteristics:

• Primary Target: DeviceSimulator vulnerability
• Objective: Attempted to access /App_Data/license.xml
• Tactics:
  • Minimal path testing (only standard /App_Data/license.xml)
  • User agent rotation to simulate different OS platforms
  • Testing across multiple dates
• User Agents:
  • Chrome 58 on Windows 7, Windows 10, and Mac OS X
• Protocol: HTTPS only (port 443)
• Servers Targeted: Both PROD and STAGING CM
• Success Rate: 0% - All attempts blocked (404 on STAGING, 401 on PROD)
• Timing Pattern:
  • 17:54 UTC (Jan 4) - PROD
  • 22:08-22:09 UTC (Jan 4) - STAGING (~4 hours later)
  • 02:47 UTC (Jan 5) - PROD (~9 hours after STAGING)

IIS Log Entries:

STAGING CM:

PROD CM:

Interpretation:

This IP exhibits a sophisticated multi-day reconnaissance approach. The use of Amazon AWS Singapore infrastructure, user agent rotation across three OS platforms, and the unusual PROD-first targeting pattern suggests either manual testing or a more deliberate reconnaissance campaign. The time gaps between attempts indicate careful, methodical probing rather than rapid automated scanning.

This IP conducted some of the earliest DeviceSimulator exploitation attempts observed, appearing just 5 days after the public disclosure in May 2023, with extensive user agent rotation spanning multiple operating systems.

Activity Timeline:

• May 15, 2023 - PROD CM (Six Attempts)

  • 08:11:54 UTC - Initial attempt
    • User agent: Windows XP, Chrome 35
    • Response: 302 redirect
  • 08:22:07 UTC - Second attempt
    • User agent: Windows 10 Technical Preview, Chrome 41
    • Response: 302 redirect
  • 09:13:27 UTC - Third attempt
    • Same user agent as 08:22:07
    • Response: 302 redirect
  • 09:15:52 UTC - Fourth attempt
    • User agent: Ubuntu Linux, Chrome 53
    • Response: 302 redirect
  • 09:17:55 UTC - Fifth attempt
    • User agent: Windows XP, Chrome 36
    • Response: 302 redirect
  • 09:26:25 UTC - Sixth attempt
    • User agent: Mac OS X Yosemite, Chrome 41
    • Response: 302 redirect

• May 15, 2023 - STAGING CM (Four Attempts)

  • 08:30:22 UTC - Initial attempts (two simultaneous user agents)
    • Mac OS X, Chrome 49
    • Windows 10, Chrome 89
    • Response: 404 Not Found
  • 09:33:39 UTC - Follow-up
    • User agent: Windows XP, Chrome 41
    • Response: 404 Not Found
  • 09:33:42 UTC - Final attempt
    • User agent: Windows 8.1, Chrome 41
    • Response: 404 Not Found

Attack Characteristics:

• Early adopter: Just 5 days after public disclosure
• Extensive user agent rotation: 8+ different user agents across Windows XP, 7, 8.1, 10, Mac OS X, and Ubuntu Linux
• Legacy OS simulation: Multiple Windows XP user agents (end-of-life OS)
• Methodical timing: Variable intervals (2-51 minutes)
• Cross-platform approach: Comprehensive testing across all major OS platforms
• Success Rate: 0% - All blocked

IIS Log Entries:

PROD CM (excerpt):

Interpretation:

The combination of early timing (5 days post-disclosure), extensive user agent diversity, and methodical testing patterns suggests either a security researcher conducting analysis or an advanced threat actor rapidly incorporating new exploits. The use of legacy OS user agents (Windows XP) alongside modern systems and the cross-platform approach indicates comprehensive testing methodology.

This Microsoft Azure IP conducted DeviceSimulator exploitation in February 2024 using an advanced technique: HTTP Parameter Pollution (HPP) through parameter doubling, representing a more sophisticated attack vector than standard testing.

Activity Timeline:

• February 3, 2024 - PROD CM
  • 22:31:19 UTC - Initial attempt via HTTP (port 80)
    • Standard path: previewPath=/App_Data/license.xml
    • Response: 301 redirect
    • User agent: Firefox 121 (very recent at the time)
  • 22:31:19 UTC - Parameter pollution via HTTPS (same second)
    • Unique attack: previewPath=/App_Data/license.xml&previewPath=/App_Data/license.xml
    • Doubled the parameter name in the query string
    • Response: 401 Unauthorized
  • 22:31:29 UTC - Retry (10 seconds later)
    • Same doubled parameter attack
    • Response: 401 Unauthorized

Attack Characteristics:

• Unique Tactic: HTTP Parameter Pollution (HPP)
  • Tests inconsistent parameter handling across system layers
  • Web servers vs application frameworks may process parameters differently
  • Can bypass security filters that only validate first occurrence
• Modern tooling: Firefox 121 (very recent)
• Azure infrastructure: Microsoft cloud
• Rapid testing: 10-second retry
• Single environment focus: PROD only
• Success Rate: 0% - All blocked

IIS Log Entries:

PROD CM:

Interpretation:

This IP demonstrates notably advanced techniques. The HTTP Parameter Pollution attack tests whether different system components handle duplicate parameters differently - a sophisticated bypass technique. Combined with modern Firefox 121 user agent and Azure infrastructure, this suggests either an advanced exploitation framework or a skilled security researcher. The focused, rapid testing approach differs markedly from the broad scanning patterns of other IPs.

Check for requests to these paths in your logs to help identify threat actors. In addition to my suggestions, I recommend reading the articles linked at the end of this post to help identify more keywords to search for.

• /api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController
• /sitecore/shell/ClientBin/Reporting/Report.ashx
• /sitecore/shell/Invoke.aspx
• /sitecore/shell/~/xaml/Sitecore.Xaml.Tutorials.Styles.Index
• /api/sitecore/Sitecore.Mvc.DeviceSimulator
• Execute.aspx?cmd=
• Service2.asmx
• Sitecore.Rocks.Validation.ashx
• Web.config
• Browse.aspx
• Any paths starting with /bin
• /Telerik.Web.UI.WebResource.axd
• /sitecore/shell/api/sitecore/ExperienceExplorer
• SelectUser.xaml
• /sitecore modules/PowerShell
• /sitecore/shell/Applications/WebEdit
• /sitecore modules/Web/
• /api/sitecore/
• cmd.exe
• Any paths containing ../ or %2e%2e%2f (URL encoded ../)
• /sitecore/login
• /sitecore/admin
• <script>
• javascript:
• /sitecore/client/Applications
• ?cmd=
• ?exec=
• .config
• /sitecore/service/
• sitecore/api/ssc/item
• /App_Data/diagnostics

Also check your Sitecore logs for:

I found Log Parser Studio to be helpful in analyzing IIS logs.

The queryable fields are:

Some useful queries follow.

For every security bulletin, you should be able to answer "yes" to all of the following questions:

1. Do you know when the vulnerability was announced?
2. Do you know when the patches were applied?
3. Do you know which roles the patches needed to be applied to? Were they?
4. Were patches applied to all environments / servers / roles (CM, CD, xConnect, etc.)?
5. Were patches applied before the first exploit attempts?
6. Do you have a process in place to monitor for these types of attacks?
7. Do you have a process in place to block IPs that are attempting to exploit these vulnerabilities?

• Block user agents containing zgrab because the tool is used to collect info on TLS handshakes.
• Block all incoming requests to your servers except those originating from a trusted WAF provider.
• Have tools and automations in place to scan your IIS, Sitecore, and system logs.
• Employ a push notification system rather than engaging in manual log reviews in which reconnaissance and exploits can easily be missed.
• Ensure that your TLS / encryption ciphers are configured properly. This is a common attack vector for hackers. You can use a tool like https://www.ssllabs.com/ssltest/ or https://www.immuniweb.com/ssl to check your server's configuration.
• Turn off your default IIS sites.
• Explore tools such as https://www.nartac.com/Products/IISCrypto to disable insecure ciphers and protocols.
• Use country blocking when possible for maximum protection with the least amount of effort.
• Use a WAF.
• Keep your Sitecore installation up to date with the latest security patches.
• Monitor your logs for suspicious activity.
• Whenever you see a critical vulnerability bulletin, perform an extensive log search for keywords which appeared in the bulletin and in the contents of the hotfix files themselves. This will help you identify if the vulnerability was exploited in your environment.
• Run a full scan on your server to ensure that no malware has been installed.
• Check inetpub/history to check for config history changes.
• Subscribe to the Sitecore Security Bulletin to stay up to date with the latest security vulnerabilities: https://support.sitecore.com/kb?id=kb_search&kb_knowledge_base=44035465db70dc109e54320a689619bf.

Below is a sample set of IIS rewrite rules to get you started on blocking known malicious IPs, paths, and query strings.

Sitecore has a bug bounty program: https://www.sitecore.com/legal/security:

If you discover a security bug or vulnerability on a Sitecore website, please report it by sending an email to securityvulnerability@sitecore.com. Sitecore partners with HackerOne, and depending on the scope and criticality of the issue, it may be eligible for a reward.

Report cases of abuse. In this case, I reported the offending IP address to the hosting providers. This may deter the hackers from exploiting other sites.

• Raw Logs: xm-vulerability-exploit-attempts-raw-logs.txt
• Blocking Malicious Bots with IIS
• https://www.assetnote.io/resources/research/sitecore-experience-platform-pre-auth-rce-cve-2021-42237
• https://caesarevan23.medium.com/how-i-get-pre-auth-remote-code-execution-cve-2021-42237-on-one-of-the-vendors-f62e35cb90de
• https://github.com/ItsIgnacioPortal/CVE-2021-42237
• https://medium.com/nerd-for-tech/a-defenders-perspective-of-sitecore-xp-deserialization-rce-cve-2021-42237-dcd5355ca591
• https://vulners.com/nuclei/NUCLEI:CVE-2021-42237
• https://code-white.com/blog/exploiting-asp.net-templateparser-part-1/

This analysis is not exhaustive. Same applies to the recommendations. There are almost certainly some paths that were missed. Go through the blog posts outlining the vulnerabilities and verify for yourself!

Stay vigilant,

-MG