Security teams have issued a warning after Google researchers detected active attacks exploiting a new zero-day vulnerability in Sitecore products.
Tracked as CVE-2025-53690, this flaw allows attackers to run code on unpatched servers by tampering with the ViewState mechanism in ASP.NET.
Sitecore, a popular content management system, published deployment guides in 2017 and earlier that included a sample machine key.
When administrators used this sample key instead of generating a unique key, they left their servers open to a ViewState deserialization attack.
ViewState holds page data in a hidden form field. If an attacker can craft a malicious ViewState payload and the server accepts it without proper validation, they gain the ability to execute arbitrary code.
The vulnerability was first spotted by Mandiant Threat Defense during an incident response. Attackers sent specially crafted POST requests to /sitecore/blocked.aspx, triggering a ViewState validation failure log entry.
Using the exposed sample key, they decrypted and modified ViewState data to include a reconnaissance malware named WEEPSTEEL.
| Vulnerability Type | CVE-ID | Affected Products | Description |
| ViewState Deserialization Flaw | CVE-2025-53690 | Sitecore XP 9.0, AD 1.4 and earlier | Allows remote code execution via crafted ViewState payloads when sample keys are used |
This malware gathers system details and sends them back in a fake ViewState response. The attackers then used 7-Zip to archive critical files, staged tunneling tools like EARTHWORM, and installed a remote access utility called DWAGENT to maintain persistent access.
Sitecore has confirmed that versions affected include Sitecore XP 9.0 and Active Directory 1.4 or earlier when deployed with the sample key.
Updated installation packages now generate a unique machine key automatically. Administrators are urged to refer to Sitecore’s advisory SC2025-005 and rotate any machine keys stored in their web.config files.
Table 1 summarizes the main details of this vulnerability:
Attack Chain Overview
- Initial compromise through a ViewState deserialization exploit.
- Deployment of WEEPSTEEL for internal reconnaissance.
- Archiving and exfiltration of web.config and other files.
- Staging of tunneling tool (EARTHWORM) and remote access tool (DWAGENT).
- Creation of local admin accounts and credential dumping via SAM/SYSTEM hives.
- Lateral movement to other servers and Active Directory reconnaissance using SharpHound.
Recommended Mitigations
- Rotate and secure machine keys; do not use sample keys.
- Enable ViewState MAC (Message Authentication Code) in ASP.NET settings.
- Encrypt sensitive values in web.config.
- Apply the latest Sitecore updates or patches immediately.
- Monitor outbound traffic for unexpected tunneling connections and unusual RDP sessions.
Organizations running Sitecore products should audit their deployments for any use of the 2017 sample machine key and review their logs for events indicating ViewState tampering.
Prompt patching and key rotation will close this critical gap and protect against ongoing attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
