Zero-Day
sysops

A critical zero-day vulnerability in several Sitecore products could allow attackers to execute code remotely.

The vulnerability, identified as CVE-2025-53690, stems from a ViewState deserialization flaw and is being actively exploited in the wild.

The investigation by Mandiant revealed that attackers are leveraging exposed ASP.NET machine keys that were included in Sitecore deployment guides from 2017 and earlier.

These keys allow malicious actors to bypass validation mechanisms and send harmful ViewState payloads to servers, leading to remote code execution.

Sitecore has acknowledged the vulnerability, labeling it SC2025-005, and has confirmed that it affects customers who used the sample machine key from the outdated deployment guides.

The company has since updated its deployment processes to generate unique machine keys automatically and has notified affected customers.

Impacted Products And Attack Details

The vulnerability potentially impacts several of Sitecore’s main products, including:

Experience Manager (XM)

Experience Platform (XP)

Experience Commerce (XC)

Managed Cloud

Products such as XM Cloud, Content Hub, and OrderCloud are not affected. Sitecore urges customers to consult their official advisory for a complete list and guidance.

Mandiant’s rapid response disrupted the attack before the full lifecycle could be observed, but their investigation provided significant insights into the attacker’s methods.

The attack began with the exploitation of the ViewState deserialization vulnerability on an internet-facing Sitecore instance. The attacker then used a custom malware, dubbed WEEPSTEEL, for internal reconnaissance.

This malware, embedded in a decrypted ViewState payload, gathered system, network, and user information, which was then encrypted and exfiltrated.

Following the initial compromise, the attacker staged several open-source tools in a public directory to expand their foothold. These included:

EARTHWORM: A network tunneling tool to create a covert command-and-control channel.

DWAGENT: A remote access tool for persistent access.

SHARPHOUND: An Active Directory reconnaissance tool.

The threat actor then escalated their privileges by creating local administrator accounts and attempted to dump credentials from the SAM/SYSTEM hives to facilitate lateral movement across the network using the Remote Desktop Protocol (RDP).

To maintain their presence, they installed DWAGENT as a service and modified account settings to prevent password expiration.

Mitigations

Mandiant recommends that all Sitecore customers review their environments and implement security best practices for ASP.NET.

This includes automating machine key rotation, enabling View State Message Authentication Code (MAC), and encrypting any plaintext secrets.

Sitecore has provided detailed remediation instructions in its official advisory (SC2025-005).

The company strongly encourages customers to ensure their environments are running security-supported versions and to apply all available security fixes without delay.

The discovery of this vulnerability highlights the persistent danger of using default or sample configurations in production environments and underscores the need for continuous security monitoring and proactive patching.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

Related Posts

Samsung has devices affected by a critical security vulnerability (CVE-2024-44068) that affects multiple Exynos mobile processors actively exploited in the…

SAP’s May 2025 Security Patch Day includes an urgent update to the previously released emergency patch for a critical zero-day…

Apple has issued an urgent security advisory concerning three critical zero-day vulnerabilities CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085 that have been actively…