CISA Urges Immediate Patching of Critical Sitecore Vulnerability Due to Ongoing Exploitation Risks

ByAdmin

Federal Civilian Executive Branch (FCEB) agencies are urged to update their Sitecore instances by September 25, 2025, due to a critical security vulnerability, CVE-2025-53690, which has been actively exploited. This vulnerability, rated with a CVSS score of 9.0, affects Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a deserialization of untrusted data vulnerability linked to the use of default machine keys. Attackers can exploit exposed ASP.NET machine keys to achieve remote code execution. Google-owned Mandiant discovered that the active ViewState deserialization attack utilised a sample machine key from Sitecore deployment guides dating back to 2017. The threat intelligence team did not associate the activity with any known threat actor or group.

The attackers demonstrated a sophisticated understanding of the compromised product and the exploited vulnerability, progressing from initial server compromise to privilege escalation. Microsoft first documented the abuse of publicly disclosed ASP.NET machine keys in February 2025, noting limited exploitation activity since December 2024. In May 2025, ConnectWise revealed an improper authentication flaw in ScreenConnect (CVE-2025-3935), which had been exploited by a nation-state threat actor for ViewState code injection attacks. As of July, the Initial Access Broker known as Gold Melody was linked to campaigns exploiting leaked ASP.NET machine keys for unauthorised access. Mandiant’s documented attack chain shows that CVE-2025-53690 is weaponised to compromise internet-facing Sitecore instances, deploying a mix of open-source and custom tools for reconnaissance and remote access. The ViewState payload, delivered using the exposed machine key, is a .NET assembly called WEEPSTEEL, capable of gathering and exfiltrating system, network, and user information back to the attacker. With this access, attackers establish a foothold, escalate privileges, maintain persistence, and conduct internal network reconnaissance, moving laterally across the network. 

Categories: Cybersecurity Vulnerabilities, Exploitation Techniques, Threat Intelligence 

Tags: FCEB, Sitecore, CVE-2025-53690, CVSS, Vulnerability, Remote Code Execution, ASP.NET, Mandiant, ViewState, Privilege Escalation 

Leave a Reply

Your email address will not be published. Required fields are marked *