CVE-2025-53690

Name of the Vulnerable Software and Affected Versions Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), Experience Commerce (XC), and Managed Cloud versions through 9.0

Description A deserialization of untrusted data issue exists in Sitecore products, allowing for code injection. This vulnerability, tracked as CVE-2025-53690, is actively exploited by the China-linked APT group UAT-8837, who have targeted North American critical infrastructure. The exploitation involves a ViewState deserialization flaw stemming from the use of a sample ASP.NET machine key included in documentation prior to 2017. Attackers are leveraging this to achieve remote code execution (RCE) and deploy malware, such as WeepSteel, Earthworm, and Dwagent. The vulnerability is present when using static machine keys and affects the /sitecore/blocked.aspx endpoint. Approximately 1.6 million services are estimated to be potentially affected. Exploitation involves crafting malicious ViewState payloads, enabling attackers to execute code and gain access to sensitive data.

Recommendations Rotate all static machine keys in web.config with new unique keys. Ensure the element within web.config is encrypted. Implement regular rotation of static keys as a continuous security measure.