cbcvebase.
CVE-2025-53690
published 2025-09-03

CVE-2025-53690: Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects…

PriorityP191critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-25
Exploited in the wild
EPSS
26.31%
97.7th percentile
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
sitecoreexperience_commerce<= 9.0
sitecoreexperience_manager<= 9.0
sitecoreexperience_platform<= 9.0

Detection & IOCsextracted from sources · hover to see the quote

path/sitecore/blocked.aspx
filenameWeepSteel
processwhoami
commandipconfig /all
commandnetstat -ano
processEarthworm
processDwagent
processGoTokenTheft
otherlocal administrator account: asp$
otherlocal administrator account: sawadmin
cookie_VIEWSTATE (malicious deserialization payload)
processGoTokenTheft
processRubeus
processCertipy
processSharpHound
processSharpWMI
  • Monitor for unauthenticated POST requests to /sitecore/blocked.aspx, particularly those with large or anomalous _VIEWSTATE parameter values, as this is the targeted unauthenticated ViewState endpoint.
  • Alert on WeepSteel exfiltrating data disguised as standard ViewState HTTP responses — look for outbound HTTP responses from IIS worker processes containing encoded data inconsistent with normal ViewState traffic.
  • Detect creation of local administrator accounts named 'asp$' or 'sawadmin' on IIS-hosting Windows servers as a high-fidelity indicator of post-exploitation activity.
  • Hunt for SAM and SYSTEM registry hive dumping originating from IIS NETWORK SERVICE account context, indicating credential harvesting following Sitecore RCE.
  • Detect Dwagent registered as a SYSTEM service on Sitecore servers as a persistence indicator.
  • Alert on Earthworm establishing reverse SOCKS tunnels from Sitecore/IIS server processes, indicating internal network tunneling post-exploitation.
  • Detect disabling of RDP RestrictedAdmin mode on compromised hosts, which UAT-8837 uses to facilitate credential harvesting.
  • Flag exfiltration of DLLs from victim products, which could indicate preparation for trojanization and supply-chain attacks.
  • Audit web.config files on Sitecore servers for static/default machine keys matching those published in pre-2017 Sitecore documentation; presence of known-public keys is a direct exploitation prerequisite.
  • ·The vulnerability only affects Sitecore deployments using the sample ASP.NET machine key from pre-2017 documentation; XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server are NOT impacted.
  • ·Multi-instance Sitecore deployments with static machine keys shared across nodes are also at risk, not just single-instance deployments.
  • ·The flaw is a misconfiguration (reuse of publicly documented sample keys), not a bug in ASP.NET itself; detection and remediation must focus on web.config machine key values.
  • ·Microsoft has identified over 3,000 publicly disclosed machine keys that could be used for ViewState code injection; Sitecore's vulnerable key is among these and may be present in other products' configurations.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.