A critical zero-day vulnerability in Sitecore has been exploited due to a misconfiguration involving public ASP.NET machine keys, initially provided in the vendor’s documentation. Identified as CVE-2025-53690, this flaw was used by attackers to achieve remote code execution by leveraging exposed keys. The vulnerability affects customers who implemented the sample key provided in Sitecore’s deployment guides, especially for versions 9.0 and earlier of the Sitecore Experience Platform.
The issue arises from users copying example keys from official documentation instead of generating unique, random ones, leaving systems vulnerable to ViewState deserialization attacks. Although Mandiant intervened to disrupt the attack, the full scope of the attack remains unclear. The attacker utilized the vulnerability to deploy malware and conduct reconnaissance after gaining access to compromised systems.
Sitecore recommends rotating machine keys and checking for signs of ViewState attacks. However, rotating keys will not protect systems already breached. The incident underscores the importance of not using placeholder keys in production environments, a responsibility shared by both users and the vendor. The extent of the impact on organizations remains undetermined, highlighting the need for vigilance in software configuration and deployment.
