**Name of the Vulnerable Software and Affected Versions:**

Sitecore Experience Manager (XM) versions through 9.0

Sitecore Experience Platform (XP) versions through 9.0

Sitecore versions prior to 9.0 (AD 1.4 and earlier)

**Description:**

A critical deserialization vulnerability exists in Sitecore products, allowing for remote code execution (RCE). This flaw stems from the use of exposed ASP.NET machine keys found in older Sitecore deployment documentation dating back to 2017. Attackers can exploit this vulnerability by injecting malicious ViewState payloads against the `/sitecore/blocked.aspx` endpoint, leading to the execution of arbitrary code.

Observed attacker behavior includes the deployment of WEEPSTEEL reconnaissance malware, privilege escalation to SYSTEM level access, and the use of tools like EARTHWORM for tunneling and SHARPHOUND for Active Directory reconnaissance. The vulnerability has been actively exploited in the wild, with attackers leveraging compromised systems for reconnaissance, data exfiltration, and further network penetration.

**Recommendations:**

Sitecore Experience Manager (XM) versions through 9.0: Rotate machine keys automatically, enable ViewState MAC validation, and encrypt secrets in web.config.

Sitecore Experience Platform (XP) versions through 9.0: Rotate machine keys automatically, enable ViewState MAC validation, and encrypt secrets in web.config.

Sitecore versions prior to 9.0 (AD 1.4 and earlier): Rotate machine keys automatically, enable ViewState MAC validation, and encrypt secrets in web.config.

As a temporary workaround, consider restricting access to the `/sitecore/blocked.aspx` endpoint.