Take action immediately! Experts are cautioning about the ongoing exploitation of vulnerabilities in various Sitecore products, which could negatively impact your SEO.

ByAdmin

Australian software company Sitecore has warned of a critical vulnerability in several of its products that could lead to remote code execution and the exfiltration of sensitive data.The vulnerability – tracked as CVE-2025-53690 – potentially impacts four of Sitecore’s products: Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud.You’re out of free articles for this monthTo continue reading the rest of this article, please log in. Username or Email Password Forgot password? Keep me signed in on this device. If you check this box before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. If you check the box above before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. JavaScript is required for CAPTCHA verification to submit this form. Create free account to get unlimited news articles and more! First Name Last Name Mobile Organisation Type By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement. JavaScript is required for CAPTCHA verification to submit this form. Need help signing up? Visit the Help Centre. The issue impacts customers who followed the deployment instructions that came with XP 9.0 or earlier and Active Directory 1.4 or earlier. In some cases, customers have been found to have used the sample machine key included in those instructions, which date back to 2017.“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones – a move we don’t recommend,” Ryan Dewhurst, watchTowr’s head of proactive threat intelligence, told Cyber Daily.“Any deployment running with these known keys was left exposed to ViewState deserialisation attacks, a straight path right to remote code execution.”Sitecore has recommended its customers rotate machine keys immediately, but that may not be enough, according to Caitlin Condon, VP of security research at VulnCheck.“Unfortunately, rotating keys and locking down configurations isn’t enough on its own if threat actors were able to gain access to an organisation’s network,” Condon said.?Australian software company Sitecore has warned of a critical vulnerability in several of its products that could lead to remote code execution and the exfiltration of sensitive data.The vulnerability – tracked as CVE-2025-53690 – potentially impacts four of Sitecore’s products: Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud.You’re out of free articles for this monthTo continue reading the rest of this article, please log in. Username or Email Password Forgot password? Keep me signed in on this device. If you check this box before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. If you check the box above before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. JavaScript is required for CAPTCHA verification to submit this form. Create free account to get unlimited news articles and more! First Name Last Name Mobile Organisation Type By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement. JavaScript is required for CAPTCHA verification to submit this form. Need help signing up? Visit the Help Centre. The issue impacts customers who followed the deployment instructions that came with XP 9.0 or earlier and Active Directory 1.4 or earlier. In some cases, customers have been found to have used the sample machine key included in those instructions, which date back to 2017.“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones – a move we don’t recommend,” Ryan Dewhurst, watchTowr’s head of proactive threat intelligence, told Cyber Daily.“Any deployment running with these known keys was left exposed to ViewState deserialisation attacks, a straight path right to remote code execution.”Sitecore has recommended its customers rotate machine keys immediately, but that may not be enough, according to Caitlin Condon, VP of security research at VulnCheck.“Unfortunately, rotating keys and locking down configurations isn’t enough on its own if threat actors were able to gain access to an organisation’s network,” Condon said.? 

Categories: Australian software company Sitecore has warned of a critical vulnerability in several of its products that could lead to remote code execution and the exfiltration of sensitive data.The vulnerability – tracked as CVE-2025-53690 – potentially impacts four of Sitecore’s products: Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud.You’re out of free articles for this monthTo continue reading the rest of this article, please log in. Username or Email Password Forgot password? Keep me signed in on this device. If you check this box before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. If you check the box above before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. JavaScript is required for CAPTCHA verification to submit this form. Create free account to get unlimited news articles and more! First Name Last Name Mobile Organisation Type By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement. JavaScript is required for CAPTCHA verification to submit this form. Need help signing up? Visit the Help Centre. The issue impacts customers who followed the deployment instructions that came with XP 9.0 or earlier and Active Directory 1.4 or earlier. In some cases, customers have been found to have used the sample machine key included in those instructions, which date back to 2017.“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones – a move we don’t recommend,” Ryan Dewhurst, watchTowr’s head of proactive threat intelligence, told Cyber Daily.“Any deployment running with these known keys was left exposed to ViewState deserialisation attacks, a straight path right to remote code execution.”Sitecore has recommended its customers rotate machine keys immediately, but that may not be enough, according to Caitlin Condon, VP of security research at VulnCheck.“Unfortunately, rotating keys and locking down configurations isn’t enough on its own if threat actors were able to gain access to an organisation’s network,” Condon said.? 

Tags: Australian software company Sitecore has warned of a critical vulnerability in several of its products that could lead to remote code execution and the exfiltration of sensitive data.The vulnerability – tracked as CVE-2025-53690 – potentially impacts four of Sitecore’s products: Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud.You’re out of free articles for this monthTo continue reading the rest of this article, please log in. Username or Email Password Forgot password? Keep me signed in on this device. If you check this box before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. If you check the box above before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. JavaScript is required for CAPTCHA verification to submit this form. Create free account to get unlimited news articles and more! First Name Last Name Mobile Organisation Type By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement. JavaScript is required for CAPTCHA verification to submit this form. Need help signing up? Visit the Help Centre. The issue impacts customers who followed the deployment instructions that came with XP 9.0 or earlier and Active Directory 1.4 or earlier. In some cases, customers have been found to have used the sample machine key included in those instructions, which date back to 2017.“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones – a move we don’t recommend,” Ryan Dewhurst, watchTowr’s head of proactive threat intelligence, told Cyber Daily.“Any deployment running with these known keys was left exposed to ViewState deserialisation attacks, a straight path right to remote code execution.”Sitecore has recommended its customers rotate machine keys immediately, but that may not be enough, according to Caitlin Condon, VP of security research at VulnCheck.“Unfortunately, rotating keys and locking down configurations isn’t enough on its own if threat actors were able to gain access to an organisation’s network,” Condon said.? 

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *