Full Report
A critical zero-day vulnerability in several Sitecore products could allow attackers to execute code remotely. The vulnerability, identified as CVE-2025-53690, stems from a ViewState deserialization flaw and is being actively exploited in the wild. The investigation by Mandiant revealed that attackers are leveraging exposed ASP.NET machine keys that were included in Sitecore deployment guides from […] The post Google Warns of Zero-Day Vulnerability in Sitecore Products Allowing Remote Code Execution appeared first on Cyber Security News.
Analysis Summary
# Vulnerability: Critical Remote Code Execution in Sitecore via ViewState Deserialization
## CVE Details
- CVE ID: CVE-2025-53690
- CVSS Score: N/A (Critical severity implied by RCE and active exploitation)
- CWE: CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- Products: Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC)
- Versions: Customers using sample machine keys from Sitecore deployment guides published in 2017 and earlier.
- Configurations: Internet-facing Sitecore instances using default/outdated machine keys. (XM Cloud, Content Hub, and OrderCloud are explicitly noted as **not affected**).
## Vulnerability Description
This is a critical zero-day vulnerability stemming from a flaw in how Sitecore handles ASP.NET ViewState. Attackers can leverage outdated, exposed ASP.NET machine keys (often included in pre-2017 deployment guides) to bypass validation mechanisms. This allows them to deliver malicious ViewState payloads that result in **Remote Code Execution (RCE)** on the targeted server.
## Exploitation
- Status: **Exploited in the wild**
- Complexity: Low (Implied, as attackers are actively using it)
- Attack Vector: Network
## Impact
- Confidentiality: High (Implied by subsequent malware deployment for data exfiltration)
- Integrity: High (Implied by RCE and privilege escalation)
- Availability: High (Implied by potential system compromise and disruption)
***Post-Exploitation Activity Noted:*** Attackers used custom malware named **WEEPSTEAL** for internal reconnaissance, followed by staging tools like **EARTHWORM** (tunneling), **DWAGENT** (remote access), and **SHARPHOUND** (AD reconnaissance). Privilege escalation included creating local administrator accounts and attempting credential dumping.
## Remediation
### Patches
- Sitecore has acknowledged the vulnerability (SC2025-005). Specific patch versions are not listed in the summary, but customers should refer to the official Sitecore advisory (KB1003865).
- Sitecore has updated deployment processes to automatically generate unique machine keys.
### Workarounds
- Automate machine key rotation immediately if unique keys are not being used.
- Enable View State Message Authentication Code (MAC).
- Encrypt any plaintext secrets stored in the environment.
## Detection
- **Indicators of Compromise (IOCs):** Presence of custom malware named `WEEPSTEAL`, network tunneling via `EARTHWORM`, use of remote access tool `DWAGENT`, and Active Directory reconnaissance using `SHARPHOUND`.
- **Detection Methods:** Monitor for suspicious ViewState payloads targeting ASP.NET endpoints. Investigate system activity related to the manipulation of SAM/SYSTEM hives or the creation of local administrator accounts.
## References
- Vendor Advisory ID: SC2025-005
- Sitecore KB Article: hxxps://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865