Federal Civilian Government Department (FCEB) businesses are being suggested to replace their Sitecore cases by September 25, 2025, following the invention of a safety flaw that has come beneath lively exploitation within the wild.
The vulnerability, tracked as CVE-2025-53690, carries a CVSS rating of 9.0 out of a most of 10.0, indicating essential severity.
“Sitecore Expertise Supervisor (XM), Expertise Platform (XP), Expertise Commerce (XC), and Managed Cloud include a deserialization of untrusted knowledge vulnerability involving the usage of default machine keys,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) mentioned.
“This flaw permits attackers to use uncovered ASP.NET machine keys to attain distant code execution.”
Google-owned Mandiant, which found the lively ViewState deserialization assault, mentioned the exercise leveraged a pattern machine key that had been uncovered in Sitecore deployment guides from 2017 and earlier. The risk intelligence staff didn’t hyperlink the exercise to a recognized risk actor or group.
“The attacker’s deep understanding of the compromised product and the exploited vulnerability was evident of their development from preliminary server compromise to privilege escalation,” researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng mentioned.
The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech big observing restricted exploitation exercise relationship again to December 2024, through which unknown risk actors leveraged the keys to ship the Godzilla post-exploitation framework.
Two months later, an analogous zero-day vulnerability in Gladinet’s CentreStack, tracked as CVE-2025-30406 (CVSS rating: 9.0), got here beneath exploitation. It stemmed from an improperly protected machineKey that might expose internet-accessible servers to distant code execution assaults.
Then in Might 2025, ConnectWise disclosed an improper authentication flaw impacting ScreenConnect (CVE-2025-3935, CVSS rating: 8.1) that it mentioned had been exploited within the wild by a nation-state risk actor to conduct ViewState code injection assaults concentrating on a small set of consumers.
As not too long ago as July, the Preliminary Entry Dealer (IAB) often called Gold Melody was attributed to a marketing campaign that exploits leaked ASP.NET machine keys to acquire unauthorized entry to organizations and promote that entry to different risk actors.
Within the assault chain documented by Mandiant, CVE-2025-53690 is weaponized to attain preliminary compromise of the internet-facing Sitecore occasion, resulting in the deployment of a mixture of open-source and customized instruments to facilitate reconnaissance, distant entry, and Lively Listing reconnaissance.
The ViewState payload delivered utilizing the pattern machine key laid out in publicly obtainable deployment guides is a .NET meeting dubbed WEEPSTEEL, which is able to gathering system, community, and person data, and exfiltrating the main points again to the attacker. The malware borrows a few of its performance from an open-source Python instrument named ExchangeCmdPy.py.
With the entry obtained, the attackers have been discovered to determine a foothold, escalate privileges, preserve persistence, conduct inner community reconnaissance, and transfer laterally throughout the community, finally resulting in knowledge theft. Among the instruments used throughout these phases are listed beneath –
- EarthWorm for community tunneling utilizing SOCKS
- DWAgent for persistent distant entry and Lively Listing reconnaissance to determine Area Controllers inside the goal community
- SharpHound for Lively Listing reconnaissance
- GoTokenTheft for itemizing distinctive person tokens lively on the system, executing instructions utilizing the tokens of customers, and itemizing all operating processes and their related person tokens
- Distant Desktop Protocol (RDP) for lateral motion
The risk actors have additionally been noticed creating native administrator accounts (asp$ and sawadmin) to dump SAM/SYSTEM hives in an try and acquire administrator credentials entry and facilitate lateral motion through RDP.
“With administrator accounts compromised, the sooner created asp$ and sawadmin accounts had been eliminated, signaling a shift to extra secure and covert entry strategies,” Mandiant added.
To counter the risk, organizations are beneficial to rotate the ASP.NET machine keys, lock down configurations, and scan their environments for indicators of compromise.
“The upshot of CVE-2025-53690 is that an enterprising risk actor someplace has apparently been utilizing a static ASP.NET machine key that was publicly disclosed in product docs to realize entry to uncovered Sitecore cases,” Caitlin Condon, VP of safety analysis at VulnCheck, informed The Hacker Information.
“The zero-day vulnerability arises from each the insecure configuration itself (i.e., use of the static machine key) and the general public publicity — and as we have seen loads of occasions earlier than, risk actors undoubtedly learn documentation. Defenders who even barely suspect they is perhaps affected ought to rotate their machine keys instantly and guarantee, wherever potential, that their Sitecore installations should not uncovered to the general public web.”
Ryan Dewhurst, head of proactive risk intelligence at watchTowr, mentioned the difficulty is the results of Sitecore prospects copying and pasting instance keys from official documentation, relatively than producing distinctive, random ones.
“Any deployment operating with these recognized keys was left uncovered to ViewState deserialization assaults, a straight path proper to Distant Code Execution (RCE),” Dewhurst added.
“Sitecore has confirmed that new deployments now generate keys mechanically and that each one affected prospects have been contacted. The blast radius stays unknown, however this bug displays all of the traits that usually outline extreme vulnerabilities. The broader influence has not but surfaced, however it would.”
