Security analysts have successfully disrupted an attack exploiting a critical zero-day vulnerability in Sitecore, a widely-used content management system by major companies like HSBC, L’Oréal, Toyota, and United Airlines. The attack took advantage of exposed ASP.NET machine keys found in Sitecore deployment guides from 2017 and earlier, enabling remote code execution. ASP.NET, a Microsoft-developed web application framework, uses machine keys for securing critical operations. The exposure occurred due to a ViewState deserialization vulnerability in Sitecore Experience Manager and Platform. The flaw arose from users copying example keys from official documentation instead of generating unique ones. The vulnerability, identified as CVE-2025-53690 with a critical severity score of 9.0, affects Sitecore XM and XP versions up to 9.0. It impacts customers using the sample key from public deployment guides, specifically in Sitecore XP 9.0 and Active Directory 1.4 and earlier. Although the attack was interrupted before completion, it revealed the attackers’ sophisticated understanding of the product and its vulnerabilities.
Has Sitecore’s zero-day vulnerability been patched following exploitation?
