A major security warning has been issued for Sitecore, a widely used software platform by prominent companies, including banks and airlines, for managing their websites. Researchers discovered a series of three flaws, starting with a laughably simple built-in password—the single letter ‘b’—that can be combined to grant hackers complete control over vulnerable servers.
Here’s how it works: first, hackers can gain access to the system using the shockingly easy ‘b’ password. While this account doesn’t have full admin rights, it gives them a crucial foothold. From there, they can exploit a second flaw in the file upload feature. This lets them plant malicious files anywhere on the website’s server.
Suppose a common Sitecore extension is also installed. In that case, they can exploit a third vulnerability to trigger those files, gaining total control to run any command they want.
The cybersecurity firm watchTowr, which discovered the issue, warns that all Sitecore versions from 10.1 to 10.4 are at risk. This could affect as many as 22,000 servers that are connected to the internet. The firm’s CEO described the potential for damage as “massive,” stating, “If you’re running Sitecore, it doesn’t get worse than this.”
While there are no reports of hackers using this attack yet, a patch is now available from Sitecore. Experts are urging all users to change their credentials and update their systems immediately before cybercriminals discover how to exploit the flaw themselves.