CVE-2025-53690: Mandiant and Sitecore Warn of Active Exploitation in ASP.NET Machine Key Configurations

A coordinated disclosure by Mandiant and Sitecore has revealed the active exploitation of a critical configuration vulnerability tracked as CVE-2025-53690 (CVSS 9.0). The flaw stems from the use of publicly exposed ASP.NET machine keys in older Sitecore deployment guides, enabling attackers to conduct ViewState deserialization attacks that can result in full remote code execution.

Sitecore acknowledged the severity of the issue, warning that “successful exploitation of the related vulnerability might lead to remote code execution and non-authorized access to information.”

The risk primarily affects customers who deployed Sitecore XP 9.0 or earlier with Active Directory 1.4 or earlier, relying on the sample machine keys provided in legacy documentation. Mandiant confirmed that “an attacker leveraged the exposed ASP.NET machine keys to perform remote code execution” against affected Sitecore instances.

During its rapid response, Mandiant observed the attacker’s exploitation chain:

• Initial Access: The adversary exploited the ViewState deserialization flaw via the /sitecore/blocked.aspx endpoint. IIS logs and application event logs revealed crafted malicious ViewState payloads bypassing validation checks.
• Malware Deployment: The decrypted payload contained WEEPSTEEL, a reconnaissance tool designed to collect and exfiltrate system, disk, network, and process data disguised as benign __VIEWSTATE responses.
• Privilege Escalation & Persistence: The attackers created local administrator accounts (such as asp$ and sawadmin) and deployed EARTHWORM (a SOCKS tunneler) and DWAGENT (a legitimate remote access tool) for persistence and covert lateral movement.
• Credential Dumping: Registry hives (SAM and SYSTEM) were dumped to extract cached credentials, facilitating further RDP-based lateral movement across the network.

Mandiant concluded that “the attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation.”

Sitecore confirmed that the vulnerability may affect multiple products when misconfigured:

• Potentially Impacted: Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and certain Managed Cloud deployments.
• Not Impacted: XM Cloud, Content Hub, CDP & Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server.

The vendor’s recommended mitigations include:

• Rotate and encrypt machine keys in all web.config files.
• Restrict access to web.config to application administrators only.
• Inspect environments for suspicious or anomalous behavior.
• Adopt key rotation as a standard practice, especially for customer-managed static keys.

Sitecore further emphasized: “Following the guidance from Microsoft Threat Intelligence, Mandiant Threat Intelligence and Sitecore, we recommend examining your environment for suspicious behavior in addition to rotating and protecting your ASP.NET machine keys and other secrets.”

Related Posts:

• CISA Flags Active Exploits in Sitecore CMS: CVE-2019-9874 and CVE-2019-9875, PoC Publishes
• Publicly Disclosed ASP.NET Machine Keys Used in Code Injection Attacks
• ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect
• Microsoft releases January Patch Tuesday to fix 56 security issues
• Gold Melody’s Stealthy Campaign: Leaked ASP.NET Machine Keys Fuel In-Memory RCE & Privilege Escalation

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy