Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity.
“Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.
“This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.”
Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team did not link the activity to a known threat actor or group.
“The attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation,” researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng said.
The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech giant observing limited exploitation activity dating back to December 2024, in which unknown threat actors leveraged the keys to deliver the Godzilla post-exploitation framework.
Two months later, a similar zero-day vulnerability in Gladinet’s CentreStack, tracked as CVE-2025-30406 (CVSS score: 9.0), came under exploitation. It stemmed from an improperly protected machine key that could expose internet-accessible servers to remote code execution attacks.
Then in May 2025, ConnectWise disclosed an improper authentication flaw impacting ScreenConnect (CVE-2025-3935, CVSS score: 8.1) that it said had been exploited in the wild by a nation-state threat actor to conduct ViewState code injection attacks targeting a small set of customers.
As recently as July, the Initial Access Broker (IAB) known as Gold Melody was attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and sell that access to other threat actors.
In the attack chain documented by Mandiant, CVE-2025-53690 is weaponized to achieve initial compromise of the internet-facing Sitecore instance, leading to the deployment of a combination of open-source and custom tools to facilitate reconnaissance, remote access, and Active Directory reconnaissance.
The ViewState payload delivered using the sample machine key specified in publicly available deployment guides is a .NET assembly dubbed WEEPSTEEL, which is capable of gathering system, network, and user information, and exfiltrating the details back to the attacker. The malware borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py.
With the access obtained, the attackers have been found to establish a foothold, escalate privileges, maintain persistence, conduct internal network reconnaissance, and move laterally across the network, ultimately leading to data theft. Some of the tools used during these phases are listed below –
- EarthWorm for network tunneling using SOCKS
- DWAgent for persistent remote access and Active Directory reconnaissance to identify Domain Controllers within the target network
- SharpHound for Active Directory reconnaissance
- GoTokenTheft for listing unique user tokens active on the system, executing commands using the tokens of users, and listing all running processes and their associated user tokens
- Remote Desktop Protocol (RDP) for lateral movement
The threat actors have also been observed creating local administrator accounts (asp$ and sawadmin) to dump SAM/SYSTEM hives in an attempt to obtain administrator credentials access and facilitate lateral movement via RDP.
“With administrator accounts compromised, the earlier created asp$ and sawadmin accounts were removed, signaling a shift to more stable and covert access methods,” Mandiant added.
To counter the threat, organizations are recommended to rotate the ASP.NET machine keys, lock down configurations, and scan their environments for signs of compromise.
“The upshot of CVE-2025-53690 is that an enterprising threat actor somewhere has apparently been using a static ASP.NET machine key that was publicly disclosed in product docs to gain access to exposed Sitecore instances,” Caitlin Condon, VP of security research at VulnCheck, told The Hacker News.
“The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure — and as we’ve seen plenty of times before, threat actors definitely read documentation. Defenders who even slightly suspect they might be affected should rotate their machine keys immediately and ensure, wherever possible, that their Sitecore installations are not exposed to the public internet.”
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said the issue is the result of Sitecore customers copying and pasting example keys from official documentation, rather than generating unique, random ones.
“Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to Remote Code Execution (RCE),” Dewhurst added.
“Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. The blast radius remains unknown, but this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will.”
