A blog post was today published outlining the risk (CVE-2025-34509) of Sitecore having a default user Sitecore\ServicesAPI and a password of b. The user usually has no default roles, however, it is already one step inside the system.
Probably setting a secure and strong password could be sufficient. I didn’t yet see an official statement from Sitecore yet.
Read all details of the disclosure here: Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform
Vulnerable databases are found in 10.1, 10.2, 10.3, and 10.4. 9.3 and 10.0 did not yet have this password for the user as per the setup script analysis. labs.watchtower.com
More
- Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform
- Hard-Coded ‘b’ Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments