Urgent Advisory: Sitecore Vulnerability Requires Immediate Attention
Introduction to the Vulnerability
Agencies within the Federal Civilian Executive Branch (FCEB) have been urged to update their Sitecore systems by September 25, 2025, in light of a significant security flaw currently being exploited. This vulnerability, identified as CVE-2025-53690, has received a critical CVSS score of 9.0 out of 10, indicating its severity.
Nature of the Vulnerability
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the flaw resides in several Sitecore products, including Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. Specifically, it involves the deserialization of untrusted data linked to default machine keys. This makes it possible for attackers to leverage exposed ASP.NET machine keys to execute remote code.
Discovery and Attack Patterns
The security risk was first identified by Mandiant, a Google-owned cybersecurity firm, which uncovered an active ViewState deserialization attack capitalizing on a machine key publicly available in Sitecore deployment manuals from 2017 and earlier. This activity does not appear to be tied to any known threat actor or group.
Mandiant’s researchers noted that the attackers demonstrated a sophisticated understanding of the compromised system, seamlessly transitioning from initial infiltration to escalating privileges within the network.
Historical Context of Exploitation
Microsoft first reported the misuse of publicly disclosed ASP.NET machine keys in February 2025, observing limited exploitation attempts dating back to December 2024. Attackers used these keys to deploy the Godzilla post-exploitation framework. Furthermore, in May 2025, an improper authentication issue affecting ScreenConnect (CVE-2025-3935) was found to be exploited by a state-sponsored actor employing ViewState code injection attacks targeted at select customers.
Current Threat Landscape
As recently as July, an Initial Access Broker (IAB) named Gold Melody was linked to campaigns targeting leaked ASP.NET machine keys, allowing unauthorized access that was later sold to other cybercriminals. Mandiant has documented that CVE-2025-53690 can be weaponized to infiltrate internet-facing Sitecore instances, leading to the use of various tools for reconnaissance, remote access, and Active Directory exploration.
The malware engaged in these attacks included a .NET assembly known as WEEPSTEEL, which not only gathers system, network, and user data but also facilitates data exfiltration to attackers.
Tools and Methods in Use
The attackers established footholds and escalated privileges efficiently using a combination of tools designed for network tunneling and reconnaissance. Key tools included:
- EarthWorm: Used for network tunneling with SOCKS.
- DWAgent: For persistent remote access and Active Directory reconnaissance.
- SharpHound: A tool for Active Directory exploration.
- GoTokenTheft: Designed to list user tokens and execute commands with them.
- Remote Desktop Protocol (RDP): Utilized for lateral movement across networks.
Researchers discovered that these attackers often created local administrator accounts, such as asp$ and sawadmin, for the purpose of extracting administrator credentials necessary for further lateral movement.
Closing Recommendations
Organizations are strongly advised to rotate their ASP.NET machine keys and tighten their configuration settings while scanning for any signs of compromise. Caitlin Condon, VP of Security Research at VulnCheck, emphasized that the exploitation of this zero-day vulnerability stems not merely from its configuration but from its public exposure—a reminder that cybercriminals are attentive readers of documentation.
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, pointed out that many Sitecore customers may have unwittingly put themselves at risk by using example keys from official resources instead of generating unique, secure ones. Sitecore has reportedly adapted new deployments to automatically generate secure keys and has reached out to all affected customers.
The broader implications of this vulnerability are still unfolding, but it clearly points to a larger pattern of significant and potentially damaging exploits in the near future.
