Uncovered Configuration Vulnerability in Sitecore Currently Being Actively Exploited

In a recent cybersecurity report, security researchers at Mandiant have uncovered an ongoing series of attacks targeting Sitecore Content Management System (CMS) configurations. The attacks, which exploit a vulnerability tracked as CVE-2025-53690, have been traced back to the leak of an old ASP.NET machine key in Sitecore product deployment guides.

The vulnerability, if exploited, allows attackers to inject malicious ViewState payloads. ViewState, in the context of ASP.NET programming, is a method for preserving the state of web pages across web form posts. If ViewState keys are stolen or leaked, attackers can use them to craft malicious ViewState payloads, potentially leading to unauthorised access and data theft.

The initial attack vector involves the use of CVE-2025-53690 to inject a .NET assembly called WEEPSTEEL through ViewState. WEEPSTEEL, similar to the GhostContainer backdoor, is used for information gathering and gaining NETWORK SERVICE privilege. After initial exploitation, attackers deploy tools to escalate privileges, add new users (including admins), establish remote access tunnels, and dump credentials.

The threat actor was also found to have deployed the EARTHWORM tunneling tool on other systems on the network. EARTHWORM is a known tool used for lateral movement within networks. Attackers used their access to dump the SYSTEM and SAM registry hives and start lateral movement via Remote Desktop Protocol (RDP) sessions.

The attacker's progression from initial server compromise to privilege escalation was evident in the reported case. The privilege escalation tools allowed the attackers to gain SYSTEM privileges and create additional administrative accounts.

The Mandiant report includes indicators of compromise that can be used to build detection signatures. Sitecore users are advised to examine their environments for signs of compromise and malware. It is also recommended to rotate machine keys, encrypt elements in their config files, and follow Microsoft's ASP.NET ViewState security guidance for automatic key rotation.

Instances of Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) deployed in a multi-instance mode with customer-managed static machine keys are impacted by this vulnerability. Sitecore Managed Cloud Standard with Containers deployed in a multi-instance mode could also be impacted.

Users who deployed their instances using the old deployment guides and used the sample keys should now check their installations for signs of compromise. Microsoft had previously warned about in-the-wild attacks leveraging ViewState code injection or deserialization techniques.

In addition to the tools mentioned above, attackers were also found to download additional tools such as 7za.exe, VBS scripts, DWAGENT, and GoToken.exe.

It is crucial for Sitecore users to take immediate action to secure their environments and protect their data from potential threats.

Uncovered Configuration Vulnerability in Sitecore Currently Being Actively Exploited