Vulnerability cyber

Sitecore

Sep 4, 2025 3 min read
Sitecore

A zero-day vulnerability (CVE-2025-53690) in Sitecore’s Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) was exploited by threat actors using a leaked sample ASP.NET machine key. Attackers leveraged ViewState deserialization to achieve remote code execution on exposed on-premises deployments. Post-exploitation, they deployed malware (including DWAGENT RAT), exfiltrated sensitive Sitecore configurations, stole credentials and tokens, performed Active Directory reconnaissance, and escalated privileges to domain administrator level. The attack targeted multi-instance environments with customer-managed static keys, risking lateral movement across networks. While Mandiant disrupted the attack before full execution, the breach exposed backend dependencies, user data, and network architectures, enabling potential follow-on attacks like data theft, ransomware, or system takeover. Sitecore confirmed affected customers were notified, but unpatched systems remain at risk of full infrastructure compromise and operational disruption if exploited further.

Source: https://www.helpnetsecurity.com/2025/09/04/sitecore-zero-day-vulnerability-cve-2025-53690-exploited/

TPRM report: https://www.rankiteo.com/company/sitecore

"id": "sit0155601090425",
"linkid": "sitecore",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'name': 'Sitecore Customers',
                        'type': ['Enterprise', 'SMB']}],
 'attack_vector': ['Zero-Day Exploitation (CVE-2025-53690)',
                   'ViewState Deserialization',
                   'Compromised Machine Key',
                   'HTTP Probing (/sitecore/blocked.aspx)'],
 'customer_advisories': ['Check for Compromise',
                         'Apply Mitigations for CVE-2025-53690'],
 'data_breach': {'data_exfiltration': 'Yes (via __VIEWSTATE Responses and '
                                      'Archived Files)',
                 'file_types_exposed': ['Sitecore Config Files',
                                        'Process/Service/Network Connection '
                                        'Lists',
                                        'User Account Data',
                                        'TCP/IP Configurations'],
                 'sensitivity_of_data': 'High (Backend Application '
                                        'Dependencies, AD Recon, Admin '
                                        'Credentials)',
                 'type_of_data_compromised': ['Configuration Files',
                                              'System/Network/User Information',
                                              'Active Directory Data',
                                              'Credentials',
                                              'Tokens']},
 'description': 'A threat actor leveraged a zero-day vulnerability '
                '(CVE-2025-53690) and an exposed sample ASP.NET machine key to '
                'breach internet-facing, on-premises deployments of Sitecore '
                'solutions (XM, XP, XC, Managed Cloud). The attack involved '
                'ViewState deserialization to achieve remote code execution '
                '(RCE), followed by reconnaissance, credential theft, lateral '
                'movement, and deployment of the DWAGENT RAT. Mandiant '
                'disrupted the attack before completion, but the threat actor '
                'demonstrated deep knowledge of Sitecore and Active Directory '
                'environments.',
 'impact': {'data_compromised': ['Sitecore Configuration Files',
                                 'System/Network/User Information',
                                 'Active Directory Data',
                                 'Credentials/Tokens'],
            'identity_theft_risk': ['High (Credential Theft)',
                                    'Token Impersonation'],
            'operational_impact': ['Unauthorized Remote Access',
                                   'Lateral Movement',
                                   'Privilege Escalation to Domain Admin'],
            'systems_affected': ['Sitecore XM/XP/XC/Managed Cloud '
                                 '(Internet-Facing)',
                                 'Domain Controllers',
                                 'Other Network Hosts (via RDP)']},
 'initial_access_broker': {'backdoors_established': ['Local Admin Accounts',
                                                     'Domain Admin Access',
                                                     'DWAGENT RAT'],
                           'entry_point': ['Exposed /sitecore/blocked.aspx '
                                           '(ViewState)',
                                           'Compromised Machine Key'],
                           'high_value_targets': ['Domain Controllers',
                                                  'Active Directory',
                                                  'Sitecore Backend Configs']},
 'investigation_status': 'Ongoing (Attack Disrupted; Full Lifecycle Unknown)',
 'lessons_learned': ['Threat actors exploit poorly secured machine keys in '
                     'ASP.NET applications for ViewState attacks.',
                     'Default/sample keys in deployment instructions create '
                     'systemic risk.',
                     'Deep product knowledge (e.g., Sitecore, AD) enables '
                     'rapid privilege escalation.',
                     'Multi-instance deployments with static keys amplify '
                     'exposure.'],
 'post_incident_analysis': {'corrective_actions': ['Automate unique machine '
                                                   'key generation for new '
                                                   'deployments.',
                                                   'Patch CVE-2025-53690 and '
                                                   'audit existing keys.',
                                                   'Enhance monitoring for '
                                                   'ViewState deserialization '
                                                   'attacks.',
                                                   'Restrict RDP and lateral '
                                                   'movement paths.'],
                            'root_causes': ['Use of default/sample ASP.NET '
                                            'machine keys in production.',
                                            'Lack of ViewState integrity '
                                            'validation mechanisms.',
                                            'Internet-facing deployment of '
                                            'vulnerable Sitecore instances.',
                                            'Multi-instance topologies with '
                                            'static keys increasing attack '
                                            'surface.']},
 'recommendations': ['Replace default/sample machine keys with unique, '
                     'securely generated keys.',
                     'Audit internet-facing Sitecore instances for '
                     'CVE-2025-53690 indicators.',
                     'Monitor for __VIEWSTATE manipulation and unusual '
                     '/sitecore/blocked.aspx requests.',
                     'Implement least-privilege access and segment networks to '
                     'limit lateral movement.',
                     'Deploy YARA rules for WeepSteel and DWAGENT RAT '
                     'detection.',
                     'Follow Sitecore’s guidance on protecting ASP.NET '
                     'machineKey configurations.'],
 'references': [{'source': 'Mandiant (Google Cloud)'},
                {'source': 'Sitecore Advisory on CVE-2025-53690'}],
 'response': {'communication_strategy': ['Sitecore Customer Notifications',
                                         'Public Advisory via Mandiant'],
              'containment_measures': ['Attack Disruption by Mandiant',
                                       'Indicators of Compromise (IoCs) Shared',
                                       'YARA Rule for WeepSteel Tool'],
              'enhanced_monitoring': ['Recommended for Affected Organizations'],
              'incident_response_plan_activated': 'Yes (Mandiant Disrupted '
                                                  'Attack)',
              'remediation_measures': ['Sitecore Guidance on Machine Key '
                                       'Protection',
                                       'Automated Unique Key Generation for '
                                       'New Deployments'],
              'third_party_assistance': ['Mandiant (Incident Response)']},
 'stakeholder_advisories': ['Sitecore Customer Notifications',
                            'Mandiant IoCs/YARA Rule'],
 'title': 'Exploitation of CVE-2025-53690 in Sitecore Deployments via '
          'ViewState Deserialization',
 'type': ['Vulnerability Exploitation',
          'Remote Code Execution (RCE)',
          'Credential Theft',
          'Lateral Movement',
          'Data Exfiltration'],
 'vulnerability_exploited': 'CVE-2025-53690 (ViewState Deserialization in '
                            'Sitecore XM/XP/XC/Managed Cloud)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.