Federal Civilian Executive Branch (FCEB) agencies have been advised to update their Sitecore instances by September 25, 2025. This warning comes after the discovery of a critical security flaw, tracked as CVE-2025-53690, that is being actively exploited. The vulnerability, which has a CVSS score of 9.0, is described as a deserialization of untrusted data flaw in several Sitecore products, including Experience Manager (XM) and Experience Platform (XP).
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the flaw allows attackers to exploit default ASP.NET machine keys to achieve remote code execution. Mandiant, which found the active ViewState deserialization attack, noted that the malicious activity leveraged a sample machine key that was exposed in Sitecore's deployment guides from 2017 and earlier. The researchers highlighted the attacker's deep understanding of the product and the exploited vulnerability.
The abuse of publicly disclosed ASP.NET machine keys has been a known issue since at least December 2024. In the attack chain documented by Mandiant, the CVE-2025-53690 vulnerability is used to gain initial access to an internet-facing Sitecore instance. This initial compromise leads to the deployment of a combination of open-source and custom tools for reconnaissance, remote access, and privilege escalation. The ViewState payload, a .NET assembly named WEEPSTEEL, can collect system information and exfiltrate data.
The attackers have been observed establishing a foothold, escalating privileges, maintaining persistence, and moving laterally within networks to steal data. They have used tools such as EarthWorm for network tunneling, DWAgent for remote access, and SharpHound for Active Directory reconnaissance. They have also created new local administrator accounts to obtain credentials and facilitate lateral movement.
In response to the threat, organizations are advised to immediately rotate their ASP.NET machine keys, secure their configurations, and scan their environments for any signs of compromise. Researchers note that the vulnerability stems from customers copying and pasting example keys from official documentation rather than creating unique ones. Sitecore has confirmed that new deployments now automatically generate keys and that all affected customers have been contacted. The full extent of the issue's impact is not yet known, but its severity suggests that the wider impact has not yet fully surfaced.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
