CISA Warns of Sitecore Experience Platform Zero-day Vulnerability (CVE-2025-53690)

Posted by Author Diksha Ojha on Posted on

Threat attackers exploit a zero-day vulnerability in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) tracked as CVE-2025-53690. The vulnerability has a critical severity rating with a CVSS score of 9.0. Successful exploitation of the vulnerability may lead to remote code execution and unauthorized access to information. Mandiant Threat Defense identified active exploitation of this vulnerability in Sitecore products using the exposed sample key.

Some reports suggest the vulnerability is being used to deploy WeepSteel reconnaissance malware.

CISA acknowledges the vulnerability’s active exploration by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the flaw before September 25, 2025.

The Sitecore Experience Platform (XP) is a comprehensive Digital Experience Platform (DXP) that combines content management, marketing automation, analytics, and e-commerce to deliver personalized customer experiences across multiple digital channels. It enables businesses to create, manage, and optimize content for various websites and languages, using customer data and AI-powered tools to nurture customer journeys.

Vulnerability Details

The vulnerability originates from using a sample ASP.NET machine key in publicly available deployment guides (from 2017 and earlier). This compromises the integrity of ViewState validation and leads to unsafe deserialization, leading to remote code execution.

Attack Chain and Techniques

Mandiant’s security researchers discovered a multi-stage attack that includes:

  1. Initial compromise via ViewState deserialization at an unauthenticated endpoint (blocked.aspx), using the exposed machine key.
  2. Deployment of WEEPSTEEL, malware designed for internal reconnaissance.
  3. Collection of sensitive files (e.g., web.config) by archiving the root directory, followed by host/network reconnaissance.
  4. Staging of open-source tools:
    • EARTHWORM (network tunneling)
    • DWAGENT (remote access)
    • SHARPHOUND (Active Directory reconnaissance)
  1. Creation of local admin accounts to extract SAM/SYSTEM registry hives (for credential harvesting), enabling lateral movement via RDP.
  2. Use of DWAGENT to maintain persistence and perform further AD reconnaissance.

Affected versions

The vulnerability affects Sitecore XP 9.0 or earlier.

Mitigation

The vendor released patches to address the vulnerability.

For more information, please refer to the Sitecore Security Bulletin (SC2025-005).

Qualys Detection

Qualys customers can scan their devices with QID 385059 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability/

Leave a Reply

Your email address will not be published. Required fields are marked *