Sitecore CVE-2021-42237: another .NET deserialization RCE in a CMS you forgot was internet-facing

CVE-2021-42237 is an insecure-deserialization remote code execution flaw in Sitecore Experience Platform (XP), reachable pre-authentication through a report-rendering handler that deserialized attacker-controlled data. It’s the same class of bug as the Mirth Connect, SharePoint, and Aspera Faspex entries: untrusted data fed to a deserializer that will instantiate and execute objects. Here it’s .NET’s serialization on a major enterprise CMS, and like every CMS, Sitecore tends to be internet-facing and, too often, half-forgotten.

What the bug is

In affected Sitecore XP versions, the Report.ashx handler deserialized user-supplied data without restricting the types it would instantiate, letting an unauthenticated attacker send a malicious serialized payload that executes code on the server. Sitecore released fixes, and CISA added it with the ransomware flag after in-the-wild exploitation (web shells and follow-on activity). The impact is full server compromise on the platform that runs the organization’s web presence and often holds content workflows, integrations, and credentials.

The recurring .NET deserialization problem

This is worth restating because it keeps recurring across the catalog: native object deserialization of untrusted input is dangerous in every ecosystem, and .NET’s BinaryFormatter and friends are a particularly well-trodden path to RCE via gadget chains. The fixes are the same ones the WS_FTP and Aspera entries call for:

• Don’t deserialize untrusted input with type-permissive serializers. Avoid BinaryFormatter entirely (Microsoft has deprecated it for exactly this reason); use data-only formats (JSON) with strict, allowlist-based binding.
• If you must deserialize, allowlist the permitted types and reject everything else by default.
• Treat any handler that deserializes request data as critical attack surface in code review.

What to do

• Patch Sitecore XP to a fixed version per Sitecore’s advisory. Given pre-auth RCE with public exploitation, prioritize it.
• Get the CMS admin and reporting endpoints off the open internet where possible; the public site doesn’t need the management surface exposed.
• Inventory your Sitecore (and CMS) footprint. As with the Mirth “name your plumbing” lesson, the dangerous instances are the ones nobody remembers running. Find them.
• Assume compromise on exposed, unpatched instances. Hunt for web shells, the IIS worker spawning shells, and unexpected outbound connections, and rotate credentials the server held.

The reframe is the one the deserialization entries keep delivering: the bug class is old and well understood, the fixes are known, and it still ships, especially in big enterprise apps where a deserializing handler hides in a feature nobody audits. Patch Sitecore, keep its management surface off the internet, and in your own .NET code retire the type-permissive serializers. We flag the deserialization entries as a family because they recur across products and languages, and the defense is the same every time, when it’s actually applied.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2021-42237 — 2021
• Sitecore security advisory / knowledge base (CVE-2021-42237) — 2021-11
• Assetnote / public technical analysis of CVE-2021-42237 — 2021