Sitecore Zero-Day Vulnerability Exploited by Cyber Attackers (CVE-2025-53690): What You Need to Know

A threat actor is exploiting a zero-day vulnerability, identified as CVE-2025-53690, alongside an exposed sample ASP.NET machine key to compromise internet-facing, on-premises deployments of various Sitecore solutions, as revealed by Mandiant. CVE-2025-53690 is a ViewState deserialization vulnerability that impacts all versions of Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. Deployed instances are vulnerable if they were set up using a sample machine key provided with deployment instructions for XP 9.0 or earlier and Active Directory 1.4. The vulnerability may also affect all XM, XP, and XC topologies in multi-instance modes with customer-managed static machine keys, as well as Managed Cloud Standard with Containers environments. Successful exploitation of this flaw can lead to remote code execution on affected instances.

Mandiant’s incident responders intervened during the attack, preventing its completion and limiting their understanding of the full attack lifecycle. They observed that the threat actor initially probed the victim’s web server with HTTP requests to various endpoints, ultimately focusing on the /sitecore/blocked.aspx page, which utilises a hidden ViewState form. ViewStates are an ASP.NET feature that maintains webpage state by storing data in a hidden HTML field named __VIEWSTATE. The attackers exploited the server’s deserialization of ViewState messages, taking advantage of absent or circumvented validation mechanisms. With the correct machine key and a publicly available tool, they crafted malicious ViewState requests that enabled remote code execution. Once inside, the attackers installed malware to gather and exfiltrate system, network, and user information, exfiltrated critical Sitecore configuration files, and established covert command and control communication. 

Categories: Cybersecurity, Vulnerability Exploitation, Remote Code Execution 

Tags: Zero-Day Vulnerability, CVE-2025-53690, ViewState Deserialization, Sitecore, Remote Code Execution, ASP.NET, Machine Key, Exfiltration, C2 Communication, Malware