Attackers are exploiting a zero-day vulnerability, identified as CVE-2025-53690, in Sitecore solutions to breach internet-facing on-premises deployments. This vulnerability, a ViewState deserialization flaw, affects all versions of Sitecore Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud. Systems using a sample machine key from older deployment instructions are particularly at risk. Exploiting this flaw can enable remote code execution on vulnerable instances. Mandiant’s responders intervened during an attack, which involved probing web servers and exploiting the /sitecore/blocked.aspx page to execute malicious ViewState requests. Once inside, attackers installed tools to gather and exfiltrate sensitive information, create administrator accounts, and perform extensive network reconnaissance. Mandiant has shared indicators of compromise and provided detection tools. Sitecore has updated its deployments to generate unique machine keys and has advised affected customers on protective measures. Organizations are urged to check for signs of compromise.
Is a zero-day vulnerability in Sitecore being exploited by attackers?
