Sitecore Zero-Day Exploit Actively Attacked (CVE-2025-53690)
▼ Summary
– A zero-day vulnerability (CVE-2025-53690) in Sitecore solutions allows remote code execution via ViewState deserialization attacks when machine keys are compromised.
– The vulnerability affects multiple Sitecore products, particularly those deployed with sample machine keys from older versions or in multi-instance configurations.
– Attackers successfully exploited this flaw to install malware, exfiltrate sensitive data, and gain administrative access to networks and systems.
– Mandiant disrupted the attack and provided indicators of compromise, while Sitecore has notified affected customers and updated deployments to generate unique keys.
– Organizations using vulnerable Sitecore deployments should check for signs of compromise and follow Sitecore’s guidance to secure machine keys.
A newly identified zero-day vulnerability in Sitecore deployments is currently under active exploitation, posing a significant threat to organizations using on-premises installations of the platform. Security researchers at Mandiant have confirmed that threat actors are leveraging CVE-2025-53690, a critical ViewState deserialization flaw, in combination with a known sample ASP.NET machine key to gain unauthorized access to internet-facing systems.
This vulnerability impacts multiple Sitecore products, including Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC). Systems become susceptible if deployed using a sample machine key provided with earlier versions of XP or Active Directory. The issue may also extend to multi-instance deployments using static, customer-managed keys, as well as certain Managed Cloud environments. Successful exploitation enables remote code execution, allowing attackers to take full control of affected servers.
During recent incident response engagements, Mandiant observed attackers probing web servers before focusing on the /sitecore/blocked.aspx endpoint, which utilizes a hidden ViewState form. ViewState, an ASP.NET feature designed to preserve webpage state, becomes dangerous when machine keys are exposed. Without proper validation, malicious payloads can be deserialized, granting attackers the ability to execute arbitrary code.
Once inside, threat actors deployed a range of tools and malware to conduct extensive reconnaissance and data theft. Activities included exfiltrating system and user information, stealing critical configuration files, listing processes and network connections, and creating local administrator accounts. The attackers also installed open-source remote access tools like DWAGENT, performed Active Directory reconnaissance, and moved laterally across the network using compromised credentials.
Mandiant emphasizes the attackers’ sophisticated understanding of Sitecore’s architecture, enabling rapid escalation from initial access to domain-wide compromise. The firm has released indicators of compromise and a YARA rule to help detect the WeepSteel reconnaissance tool used in these intrusions.
Sitecore has confirmed that updated deployments automatically generate unique machine keys, and affected customers have been notified. Organizations using vulnerable versions should immediately review their deployment configurations, check for signs of intrusion, and apply recommended hardening measures for ASP.NET machineKey security. Proactive monitoring and prompt patching are essential to mitigate risks associated with this ongoing threat.
(Source: HelpNet Security)