The vulnerability allows a remote unauthenticated attacker to retrieve plain‑text credentials that are used to connect to the Sitefinity Insight web service. An attacker can obtain these credentials without possessing valid authentication to the application, which can then be leveraged to gain unauthorized access to the Insight service or other components that use the same credentials. This constitutes a serious exposure of authentication data and could be a stepping stone to further compromise of the Sitefinity environment.

Progress Software’s Sitefinity web content management system is affected in multiple version ranges: 14.0.7700 through 14.4.8152, 15.0.8200 through 15.0.8234, 15.1.8300 through 15.1.8335, 15.2.8400 through 15.2.8441, 15.3.8500 through 15.3.8531, and 15.4.8600 through 15.4.8630. The flaw is present only when the Sitefinity Insight service is actively integrated and the site is not using the default configuration. Missing or later versions are assumed to be patched.

The CVSS score of 10 indicates maximum severity. The EPSS score is not available, so the current probability of exploitation cannot be quantified, but a lack of EPSS data does not imply low risk. The vulnerability is not listed in the CISA KEV catalog, although it remains a critical issue because exploitation requires no credentials and can be performed remotely. The likely attack vector involves sending a crafted request to the Insight service endpoint, exploiting the inadequate protection of the stored credentials. Successful exploitation depends on the presence of the Insight integration and a non‑default configuration, conditions that many deployments satisfy.