A critical zero-day vulnerability has been discovered in several Sitecore products, potentially allowing remote code execution by attackers. Identified as CVE-2025-53690, the flaw arises from a ViewState deserialization issue and has been actively exploited. The vulnerability is linked to exposed ASP.NET machine keys included in outdated Sitecore deployment guides from 2017 and earlier. These keys enable attackers to bypass validation and send malicious ViewState payloads, leading to code execution. Sitecore has acknowledged the issue, termed SC2025-005, affecting customers who used the outdated machine keys. The company has updated its deployment processes to generate unique keys and informed affected clients.
The vulnerability affects key products like Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud, while XM Cloud, Content Hub, and OrderCloud remain unaffected. Sitecore has urged customers to refer to its official advisory for detailed guidance. Mandiant’s investigation revealed that attackers exploited the vulnerability on an internet-facing Sitecore instance using custom malware, WEEPSTEEL, for internal reconnaissance. The malware gathered and exfiltrated system, network, and user information. Following the initial breach, attackers used tools like EARTHWORM for network tunneling, DWAGENT for remote access, and SHARPHOUND for Active Directory reconnaissance. They escalated privileges by creating local admin accounts and attempted credential dumping to facilitate lateral movement using RDP. DWAGENT was installed as a service to maintain access.
To mitigate risks, Mandiant advises reviewing environments and implementing ASP.NET security best practices, including automating machine key rotation and enabling View State Message Authentication Code (MAC). Sitecore has provided detailed remediation instructions in its advisory SC2025-005 and urges customers to apply all security fixes promptly. This discovery highlights the risks of using default configurations in production and the importance of continuous security monitoring and proactive patching.
