Rommel Joven

**Name of the Vulnerable Software and Affected Versions** Sitecore Experience Manager (XM) versions prior to 9.0 Sitecore Experience Platform (XP) versions prior to 9.0 Sitecore Experience Commerce (XC) versions prior to 9.0 Sitecore Managed Cloud versions prior to 9.0 Sitecore Active Directory module versions prior to 1.4 **Description** An issue involving the deserialization of untrusted data exists in several Sitecore products. This flaw stems from the reuse of sample ASP.NET machine keys that were included in official deployment guides prior to 2017. When these static sample keys are used in production environments, attackers can craft malicious ` VIEWSTATE` payloads to achieve remote code execution (RCE) under the IIS NETWORK SERVICE account. The attack specifically targets the unauthenticated endpoint '/sitecore/blocked.aspx', which contains a ViewState field. This issue has been exploited by a China-linked advanced persistent threat (APT) group, tracked as UAT-8837, to infiltrate critical infrastructure sectors in North America. The attackers deployed the WeepSteel reconnaissance backdoor to gather system, process, disk, and network information. Following initial access, the group utilized tools such as Earthworm for network tunneling, Dwagent for remote access, and SharpHound for Active Directory reconnaissance to exfiltrate sensitive data and establish persistent access. **Recommendations** For all affected versions, immediately replace all static `<machineKey>` values in the `web.config` file with new, unique keys. Ensure that the `<machineKey>` element within the `web.config` file is encrypted. Enable ViewState MAC (Message Authentication Code) validation to prevent the processing of manipulated ViewState data. Implement regular rotation of static keys as a permanent security measure.