Ethical Hacking News
Hackers have exploited a zero-day vulnerability in Sitecore to deploy highly persistent backdoors that can remain undetected for extended periods. The vulnerability, identified as CVE-2025-53690, allows attackers to craft malicious payloads that tricked the server into deserializing and executing them, leading to RCE. To protect against this threat, administrators are advised to replace static machine keys with new, unique values and ensure encryption of sensitive data.
Sitecore has been compromised by a zero-day vulnerability (CVE-2025-53690) that allows attackers to deploy persistent backdoors. The vulnerability is due to a ViewState deserialization issue caused by reused ASP.NET machine keys in pre-2017 Sitecore guides. Attackers have used the vulnerability to execute remote code execution (RCE) and deploy reconnaissance backdoors, such as WeepSteel, to gather system information. Mandiant researchers have observed the execution of additional malicious tools, including Earthworm and Dwagent, on compromised environments. Sitecore versions up to 9.0 are affected, but certain platforms are not impacted. Administrators are advised to replace static machine keys with new, unique keys and encrypt the element in web.config as a precautionary measure.
Sitecore, a popular content management system (CMS) used by numerous organizations across various industries, has been compromised by hackers who have exploited a zero-day vulnerability in the platform. This vulnerability, identified as CVE-2025-53690, allows attackers to deploy highly persistent backdoors that can remain undetected for extended periods.
The zero-day flaw is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2017 Sitecore guides. Some customers have reused this key in production, which has allowed attackers with knowledge of the key to craft valid, but malicious '_VIEWSTATE' payloads that tricked the server into deserializing and executing them, leading to remote code execution (RCE).
Threat actors have been leveraging this vulnerability in multi-stage attacks, targeting the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field. By achieving RCE under the IIS NETWORK SERVICE account, attackers can deploy a reconnaissance backdoor called WeepSteel, which gathers system, process, disk, and network information. The malicious payload is disguised as standard ViewState responses.
Mandiant researchers have observed the execution of reconnaissance commands on compromised environments, including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. In subsequent stages of the attack, hackers deployed additional tools, such as Earthworm (a network tunneling and reverse SOCKS proxy), Dwagent (a remote access tool), and 7-Zip, which is used to create archives of the stolen data.
Attackers escalated their privileges by creating local administrator accounts ('asp$,' 'sawadmin'), cached (SAM and SYSTEM hives) credentials dumping, and attempted token impersonating via GoTokenTheft. Persistence was secured by disabling password expiration for these accounts, giving them RDP access, and registering Dwagent as a SYSTEM service.
This vulnerability has been identified in various versions of Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, up to version 9.0. However, certain platforms, such as XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server, are not impacted.
In response to this incident, Sitecore has published a security bulletin in coordination with Mandiant's report, warning that multi-instance deployments with static machine keys are also at risk. The recommended actions for potentially impacted administrators include immediately replacing all static values in web.config with new, unique keys and ensuring the element inside web.config is encrypted.
In general, it is recommended to adopt regular static machine key rotation as an ongoing security measure. Furthermore, more information on how to protect ASP.NET machine keys from unauthorized access can be found here.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Sitecore-Zero-Day-Flaw-to-Deploy-Highly-Persistent-Backdoors-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-exploited-sitecore-zero-day-flaw-to-deploy-backdoors/
https://www.securityweek.com/hackers-exploit-sitecore-zero-day-for-malware-delivery/
https://nvd.nist.gov/vuln/detail/CVE-2025-53690
https://www.cvedetails.com/cve/CVE-2025-53690/
Published: Thu Sep 4 14:19:48 2025 by llama3.2 3B Q4_K_M
