CVE-2025-53690

Name of the Vulnerable Software and Affected Versions Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), Sitecore Experience Commerce (XC), and Sitecore Managed Cloud versions prior to 9.0.

Description A deserialization of untrusted data issue exists in Sitecore products, allowing for code injection. This vulnerability, tracked as CVE-2025-53690, is actively exploited in the wild. Attackers are leveraging exposed default ASP.NET machine keys to achieve remote code execution (RCE) through ViewState deserialization. The exploitation often targets the

/sitecore/blocked.aspx

endpoint. Successful exploitation allows attackers to deploy malware such as WEEPSTEEL, EARTHWORM, and DWAGENT for reconnaissance, lateral movement, and data theft. Approximately 1.6 million services are estimated to be potentially affected worldwide. The vulnerability stems from the use of sample machine keys included in Sitecore documentation prior to 2017, which were inadvertently used in production environments. The

ViewState

is a server-side control that stores the state of a web form. The vulnerable parameter is the

ViewState

.

Recommendations Rotate all static

<machineKey>

values in

web.config

with new, unique keys. Ensure the

<machineKey>

element within

web.config

is encrypted. Implement regular rotation of static keys as a continuous security measure.