CVE-2025-53690

What is Sitecore?

Sitecore is a leading enterprise digital experience platform (DXP) used by large organizations and government agencies for website content management, customer experience personalization, and e-commerce. Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) are deployed on-premises as ASP.NET applications on Windows Server / IIS. Sitecore-powered websites often handle sensitive user data, manage e-commerce transactions, and integrate with CRM and marketing automation systems. Because Sitecore is internet-facing by design and runs in a trusted application server context, a code execution vulnerability can expose the full underlying server.

Overview

CVE-2025-53690 is a critical deserialization vulnerability (CWE-502) in Sitecore's on-premises products caused by the use of publicly known default ASP.NET machine keys from pre-2017 Sitecore documentation. ASP.NET uses machine keys to sign and validate ViewState — the serialized page state transmitted in HTTP requests. Because Sitecore's legacy deployment guides included sample static machine keys that many organizations deployed verbatim, attackers who know these keys can forge malicious __VIEWSTATE payloads that ASP.NET deserializes and executes as code. Mandiant discovered active exploitation and the WEEPSTEEL reconnaissance backdoor deployed against compromised instances. CISA added it to the KEV catalog one day after disclosure.

Affected Versions

Not affected: Sitecore XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, Commerce Server.

There is no code patch — this is a configuration vulnerability. The fix is to replace the machine key. Current Sitecore deployment tooling generates unique machine keys automatically; the issue persists only in legacy installations that retained sample keys.

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) exploits ASP.NET's ViewState mechanism. ViewState stores serialized page state in a hidden __VIEWSTATE form field, transmitted with each postback request. ASP.NET uses the machine key (from web.config → <system.web> → <machineKey>) to sign (HMAC) and optionally encrypt ViewState, preventing tampering.

Sitecore's pre-2017 deployment guides contained sample <machineKey> values (e.g., decryptionKey and validationKey with specific hex values). Many organizations copied these values verbatim into production environments and never changed them. Because these keys are now publicly known, any attacker can:

1. Craft a malicious __VIEWSTATE payload containing a .NET deserialization gadget chain targeting classes available in the Sitecore/ASP.NET runtime.
2. Sign the payload using the known machine key — producing a valid HMAC that ASP.NET accepts.
3. Submit the payload via an HTTP POST to any Sitecore endpoint that processes ViewState (e.g., /sitecore/blocked.aspx).
4. ASP.NET deserializes the payload and executes the gadget chain as the IIS application pool identity.

This attack class is not unique to Sitecore — Microsoft warned about publicly known ASP.NET machine keys broadly in 2020. CVE-2025-53690 represents the Sitecore-specific instance now formally confirmed as exploited in the wild.

Discovery

Mandiant (Google Cloud) discovered active exploitation during incident response. Mandiant analyzed captured network traffic, decrypted the __VIEWSTATE payloads using the known machine key, and found embedded .NET assemblies identified as WEEPSTEEL — a reconnaissance tool that collects and exfiltrates system information, disk data, network configuration, and running process lists. Exfiltration is disguised as benign __VIEWSTATE HTTP responses to evade detection. Also identified: EARTHWORM (a SOCKS tunneler for network pivoting) and DWAGENT (a legitimate remote administration tool repurposed for persistence).

Exploitation Context

Zero-day exploitation confirmed at time of disclosure (3 September 2025) — exploitation predated any CVE or Sitecore advisory. Attackers created local administrator accounts (e.g., asp$, sawadmin) via the RCE to establish persistence. The WEEPSTEEL, EARTHWORM, and DWAGENT toolset was deployed for reconnaissance, persistence, and lateral movement. Mandiant did not attribute activity to a known named threat actor or UNC group. The attack pattern is opportunistic — any Sitecore instance retaining the well-known sample machine key is vulnerable, making mass scanning-based exploitation straightforward. CISA added CVE-2025-53690 to the KEV catalog on 4 September 2025 with a 21-day federal remediation deadline.

Remediation

1. Immediately replace all <machineKey> values in production Sitecore web.config files with newly generated unique keys. Use ASP.NET's machine key generator or PowerShell: [System.Web.Security.MachineKeySection]::GenerateCompatibleMachineKey("SHA1", "AES"). Apply to all servers in the farm simultaneously to maintain ViewState compatibility.
2. Encrypt the <machineKey> element using DPAPI (aspnet_regiis -pe "system.web/machineKey" -app "/") to protect the keys at rest.
3. Verify the current keys are NOT the Sitecore sample keys — compare against Sitecore KB1003865's list of known vulnerable key values.
4. Hunt for WEEPSTEEL indicators: inspect IIS and application logs for __VIEWSTATE payloads that are unusually large (embedded assemblies are significantly larger than normal ViewState) or contain binary-format content.
5. Search for rogue local accounts: net localgroup administrators on all Sitecore servers — look for accounts such as asp$, sawadmin, or any unrecognized administrator accounts created after deployment.
6. Scan for EARTHWORM and DWAGENT: check for unusual SOCKS proxy processes or remote administration tools not part of the standard server baseline.
7. Consult Sitecore KB1003865 for the complete list of known compromised machine key values and detailed remediation guidance.