PT-2025-35830 · Sitecore · Sitecore Experience Manager +1
Andi Slok
+4
·
Published
2025-09-03
·
Updated
2025-09-07
·
CVE-2025-53690
9.0
Critical
| Base vector | Vector | AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
**Name of the Vulnerable Software and Affected Versions:**
Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), Sitecore Experience Commerce (XC), and Managed Cloud versions prior to 9.0
Sitecore Active Directory versions 1.4 and earlier
**Description:**
A critical deserialization vulnerability (CVE-2025-53690) exists in Sitecore products, allowing for remote code execution (RCE). This issue stems from the use of a sample ASP.NET machine key included in Sitecore documentation prior to 2017, which was inadvertently used in production environments. Attackers exploit this by crafting malicious ViewState payloads, leading to RCE. The vulnerability is actively exploited, with attackers observed deploying the WEEPSTEEL malware for reconnaissance, establishing persistence through tools like DWAGENT and EARTHWORM, and attempting credential theft. Approximately 1.6 million services are potentially affected worldwide. The initial point of compromise often involves the `/sitecore/blocked.aspx` endpoint, which does not require authentication.
**Recommendations:**
Sitecore Experience Manager (XM) versions prior to 9.0: Replace all static `<machineKey>` values in `web.config` with unique keys and ensure the `<machineKey>` element within `web.config` is encrypted.
Sitecore Experience Platform (XP) versions prior to 9.0: Replace all static `<machineKey>` values in `web.config` with unique keys and ensure the `<machineKey>` element within `web.config` is encrypted.
Sitecore Experience Commerce (XC) versions prior to 9.0: Replace all static `<machineKey>` values in `web.config` with unique keys and ensure the `<machineKey>` element within `web.config` is encrypted.
Sitecore Managed Cloud versions prior to 9.0: Replace all static `<machineKey>` values in `web.config` with unique keys and ensure the `<machineKey>` element within `web.config` is encrypted.
Sitecore Active Directory versions 1.4 and earlier: Replace all static `<machineKey>` values in `web.config` with unique keys and ensure the `<machineKey>` element within `web.config` is encrypted.
Regularly rotate static keys as a preventative security measure.
Exploit
Fix
LPE
RCE
Deserialization of Untrusted Data
Weakness Enumeration
Related Identifiers
Affected Products
References · 67
- 🔥 https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability · Exploit
- https://nvd.nist.gov/vuln/detail/CVE-2025-53690 · Security Note
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 · Security Note, Vendor Advisory
- https://reddit.com/r/CVEWatch/comments/1naph47/top_10_trending_cves_07092025 · Reddit Post
- https://twitter.com/VolerionSec/status/1963337455811088880 · Twitter Post
- https://twitter.com/404LabsX/status/1964417771229327733 · Twitter Post
- https://twitter.com/helpnetsecurity/status/1963568228422033431 · Twitter Post
- https://twitter.com/moton/status/1963735335105691875 · Twitter Post
- https://twitter.com/Cyb3r_5wift/status/1964053417950609754 · Twitter Post
- https://twitter.com/rxerium/status/1963695628539597145 · Twitter Post
- https://twitter.com/ptdbugs/status/1963941256700031177 · Twitter Post
- https://t.me/CVEtracker/31631 · Telegram Post
- https://twitter.com/kernyx64/status/1964734326861426939 · Twitter Post
- https://twitter.com/eyalestrin/status/1963621127269519560 · Twitter Post
- https://reddit.com/r/KibernetinisSaugumas/comments/1n9ujos/%C4%AFsilau%C5%BE%C4%97liai_pasinaudojo_sitecore_nulin%C4%97s_dienos · Reddit Post