Certain Sitecore deployments are susceptible to ViewState deserialization attacks due to reuse of an exposed sample machine key,
Google’s Mandiant Threat Defense team revealed Wednesday.
Sitecore
disclosed a critical vulnerability tracked as
CVE-2025-53690 on Tuesday, which affects Sitecore Experience Manager (XM), Experience Platform (XP) and Experience Commerce (XC) instances deployed using the sample key provided in deployment instructions for XP 9.0 or earlier.
Attackers used this exposed sample key to achieve ViewState deserialization at the endpoint /sitecore/blocked.aspx, which is publicly accessible, uses a hidden ViewState form and accepts unauthenticated HTTP POST requests, Google researchers found.
ViewStates, a feature of ASP.NET, which Sitecore is built upon, enable the persistence of webpage states by storing them in the hidden “__VIEWSTATE” HTML field.
Sitecore web servers will deserialize ViewState messages validated using the server’s machine key; therefore, when the machine key is known, an attacker can craft malicious ViewState payloads that are validated and deserialized by the server, enabling remote code execution (RCE).
Mandiant Threat Defense disrupts Sitecore zero-day attack
Google found that attackers exploited this zero-day flaw to deploy a reconnaissance tool called WEEPSTEEL and extract critical files including web.config. This provided further leverage for database access, privilege escalation and lateral movement.
The attackers used public directories like the Music and Video folders to stage additional tools, including the open-source network tunnel tool EARTHWORM, open-source remote access tool DWAGENT and open-source Active Director (AD) reconnaissance tool SHARPHOUND, according to Google.
A privilege escalation tool called “helper.exe” was leveraged to gain system privileges, enabling the creation of a local administrator account called asp$. A second local admin account called sawadmin was later created through a DWAGENT remote session.
A token-stealing tool, believed to be the open-source tool GoTokenTheft, was executed using the sawadmin account, and the SYSTEM and SAM registry hives were also dumped to gain credentials needed for lateral movement via the remote desktop protocol (RDP).
The threat attackers used DWAGENT for persistent access and compromised additional administrator accounts leveraging stolen credentials, ultimately removing the asp$ and sawadmin accounts to clean up their tracks.
The attack was ultimately disrupted by Mandiant Threat Defense, which worked with Sitecore to address the ViewState deserialization zero-day.
Addressing CVE-2025-53690
The vulnerability, which has a CVSS score of 9.0, affects customers who used the exposed sample machine key during initial deployment; this machine key would have been copied from Sitecore deployment guides from XP 9.0, released in 2017, or earlier.
Customers who used this key should review their environments for signs of compromise, rotate machine keys within the web.config file, encrypt any secrets stored in web.config and restrict access to web.config to application administrators only, according to Sitecore.
Sitecore also said that newer deployments, after Sitecore XP 9.0, automatically generate a unique machine keys.
