Ethical Hacking News
A critical vulnerability in Sitecore has been exposed to active exploitation, putting enterprises at risk of remote code execution and data theft. Organizations are advised to rotate ASP.NET machine keys, lock down configurations, and scan their environments for signs of compromise.
A critical vulnerability in Sitecore, a content management platform, has been identified and patched by CISA.The vulnerability allows attackers to exploit exposed ASP.NET machine keys for remote code execution.The attack chain involves ViewState deserialization, lateral movement, and data theft.Threat actors have used leaked ASP.NET machine keys to gain unauthorized access to organizations.Rotating ASP.NET machine keys and locking down configurations are recommended to counter the threat.
CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation
In a recent advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency patch for a critical vulnerability in Sitecore, a content management platform widely used by enterprises across various industries. The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating extreme severity.
According to CISA, the vulnerability involves a deserialization of untrusted data vulnerability involving the use of default machine keys in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.
Google-owned Mandiant, which discovered the active ViewState deserialization attack, reported that the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team did not link the activity to a known threat actor or group.
The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech giant observing limited exploitation activity dating back to December 2024, in which unknown threat actors leveraged the key to deliver the Godzilla post-exploitation framework.
As recently as July, the Initial Access Broker (IAB) known as Gold Melody was attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and sell that access to other threat actors.
In the attack chain documented by Mandiant, CVE-2025-53690 is weaponized to achieve initial compromise of the internet-facing Sitecore instance, leading to the deployment of a combination of open-source and custom tools to facilitate reconnaissance, remote access, and Active Directory reconnaissance.
The ViewState payload delivered using the sample machine key specified in publicly available deployment guides is a .NET assembly dubbed WEEPSTEEL, which is capable of gathering system, network, and user information, and exfiltrating the details back to the attacker. The malware borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py.
With the access obtained, the attackers have been found to establish a foothold, escalate privileges, maintain persistence, conduct internal network reconnaissance, and move laterally across the network, ultimately leading to data theft. Some of the tools used during these phases are listed below:
* EarthWorm for network tunneling using SOCKS
* DWAgent for persistent remote access and Active Directory reconnaissance to identify Domain Controllers within the target network
* SharpHound for Active Directory reconnaissance
* GoTokenTheft for listing unique user tokens active on the system, executing commands using the tokens of users, and listing all running processes and their associated user tokens
* Remote Desktop Protocol (RDP) for lateral movement
The threat actors have also been observed creating local administrator accounts (asp$ and sawadmin) to dump SAM/SYSTEM hives in an attempt to obtain administrator credentials access and facilitate lateral movement via RDP.
"With administrator accounts compromised, the earlier created asp$ and sawadmin accounts were removed, signaling a shift to more stable and covert access methods," Mandiant added.
To counter the threat, organizations are recommended to rotate the ASP.NET machine keys, lock down configurations, and scan their environments for signs of compromise.
"The upshot of CVE-2025-53690 is that an enterprising threat actor somewhere has apparently been using a static ASP.NET machine key that was publicly disclosed in product docs to gain access to exposed Sitecore instances," Caitlin Condon, VP of security research at VulnCheck, told The Hacker News.
"The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure — and as we've seen plenty of times before, threat actors definitely read documentation. Defenders who even slightly suspect they might be affected should rotate their machine keys immediately and ensure, wherever possible, that their Sitecore installations are not exposed to the public internet."
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said the issue is the result of Sitecore customers copying and pasting example keys from official documentation, rather than generating unique, random ones.
"Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to Remote Code Execution (RCE)," Dewhurst added.
"Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. The blast radius remains unknown, but this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will."
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Vulnerability-in-Sitecore-Exposed-to-Active-Exploitation-A-Threat-to-Enterprise-Security-ehn.shtml
https://thehackernews.com/2025/09/cisa-orders-immediate-patch-of-critical.html
https://cybersecuritynews.com/cisa-adds-sitecore-cms-code-execution-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2025-53690
https://www.cvedetails.com/cve/CVE-2025-53690/
Published: Fri Sep 5 12:43:56 2025 by llama3.2 3B Q4_K_M
