Is there a critical vulnerability in Sitecore products allowing remote code execution?

On September 4, 2025, a significant zero-day vulnerability was uncovered in Sitecore products, identified as CVE-2025-53690. This flaw allowed attackers to exploit ASP.NET machine keys to deploy malicious ViewState payloads, leading to remote code execution and extensive network infiltration. The vulnerability, linked to outdated deployment guides, affected many on-premises and customer-managed environments, leading to urgent advisories and patches from Sitecore.

The issue stemmed from static ASP.NET values in Sitecore’s documentation for older versions, which, if unchanged, allowed attackers to bypass ViewState integrity checks. By targeting the /sitecore/blocked.aspx endpoint, attackers could compromise servers. IIS logs showed HTTP POST requests with “ViewState verification failed” errors, indicating the use of legitimate machine keys and tools like ysoserial.net to create malicious payloads.

Once deserialized, the payload activated a .NET assembly named WEEPSTEEL, gathering system and network information. The malware serialized this data into JSON, disguising it as benign ViewState data for exfiltration. This allowed attackers to map the victim’s environment covertly.

After initial code execution under the NETWORK SERVICE account, attackers archived the web root, targeting sensitive files to extract configuration secrets. Reconnaissance commands provided detailed environment profiling, while public directories were used to stage tools like EARTHWORM, DWAGENT, and SHARPHOUND.

Privilege escalation was achieved by creating deceptive local administrator accounts to extract password hashes and gain domain-level credentials. Using valid administrator credentials, attackers moved across hosts via RDP, conducting internal discovery and removing temporary accounts to cover their tracks.

Sitecore responded by publishing Security Bulletin SC2025-005, advising customers to check for anomalies and rotate static machine keys. Recommendations included automating machine key rotation, enabling ViewState MAC and encryption, securing configuration files, and monitoring for indicators of compromise.

Organizations using ASP.NET applications are urged to apply these lessons broadly to protect against deserialization and code injection threats. By addressing configuration oversights and adopting strong key management practices, Sitecore customers can better defend against sophisticated adversaries targeting application-layer vulnerabilities.