CVE-2025-53690
published 2025-09-03CVE-2025-53690: Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects…
PriorityP191critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-25
Exploited in the wild
EPSS
26.31%
97.7th percentile
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sitecore | experience_commerce | <= 9.0 | — |
| sitecore | experience_manager | <= 9.0 | — |
| sitecore | experience_platform | <= 9.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to /sitecore/blocked.aspx, particularly those with large or anomalous _VIEWSTATE parameter values, as this is the targeted unauthenticated ViewState endpoint. ↗
- →Alert on WeepSteel exfiltrating data disguised as standard ViewState HTTP responses — look for outbound HTTP responses from IIS worker processes containing encoded data inconsistent with normal ViewState traffic. ↗
- →Detect creation of local administrator accounts named 'asp$' or 'sawadmin' on IIS-hosting Windows servers as a high-fidelity indicator of post-exploitation activity. ↗
- →Hunt for SAM and SYSTEM registry hive dumping originating from IIS NETWORK SERVICE account context, indicating credential harvesting following Sitecore RCE. ↗
- →Detect Dwagent registered as a SYSTEM service on Sitecore servers as a persistence indicator. ↗
- →Alert on Earthworm establishing reverse SOCKS tunnels from Sitecore/IIS server processes, indicating internal network tunneling post-exploitation. ↗
- →Detect disabling of RDP RestrictedAdmin mode on compromised hosts, which UAT-8837 uses to facilitate credential harvesting. ↗
- →Flag exfiltration of DLLs from victim products, which could indicate preparation for trojanization and supply-chain attacks. ↗
- →Audit web.config files on Sitecore servers for static/default machine keys matching those published in pre-2017 Sitecore documentation; presence of known-public keys is a direct exploitation prerequisite. ↗
- ·The vulnerability only affects Sitecore deployments using the sample ASP.NET machine key from pre-2017 documentation; XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server are NOT impacted. ↗
- ·Multi-instance Sitecore deployments with static machine keys shared across nodes are also at risk, not just single-instance deployments. ↗
- ·The flaw is a misconfiguration (reuse of publicly documented sample keys), not a bug in ASP.NET itself; detection and remediation must focus on web.config machine key values. ↗
- ·Microsoft has identified over 3,000 publicly disclosed machine keys that could be used for ViewState code injection; Sitecore's vulnerable key is among these and may be present in other products' configurations. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g5r9-cgwv-wmpc: Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection
ghsa_unreviewed·2025-09-05
CVE-2025-53690 [CRITICAL] CWE-502 GHSA-g5r9-cgwv-wmpc: Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
VulnCheck
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-53690 [CRITICAL] CWE-502 Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.
Affected: Sitecore Multiple Products
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability; https://www.acn.gov.it/portale/w/sitecore-rilevato-sfruttamento
CISA
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
cisa·2025-09-04·CVSS 9.0
CVE-2025-53690 [CRITICAL] CWE-502 Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
Vulnerability: Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
Affected: Sitecore Multiple Products
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53690
Remediation Due Date: 2025-09-25
Suricata
ET HUNTING Sitecore Experience Platform ViewState Insecure Deserialization via Exposed ASP.NET MachineKeys (CVE-2025-53690)
suricata·2025-09-30·CVSS 9.0
CVE-2025-53690 [CRITICAL] ET HUNTING Sitecore Experience Platform ViewState Insecure Deserialization via Exposed ASP.NET MachineKeys (CVE-2025-53690)
ET HUNTING Sitecore Experience Platform ViewState Insecure Deserialization via Exposed ASP.NET MachineKeys (CVE-2025-53690)
Rule: alert http any any -> $HOME_NET any (msg:"ET HUNTING Sitecore Experience Platform ViewState Insecure Deserialization via Exposed ASP.NET MachineKeys (CVE-2025-53690)"; flow:established,to_server; http.uri; content:"/sitecore/blocked.aspx"; fast_pattern; http.request_body; content:"__VIEWSTATE|3d|"; pcre:"/^([a-zA-Z0-9]*%2[BF]){50,}/R"; http.method; content:"POST"; reference:url,cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability; reference:cve,2025-53690; classtype:web-application-attack; sid:2064998; rev:1; metadata:affected_product Sitecore, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_30, cve CV
No public exploits indexed.
Bleepingcomputer
China-linked hackers exploited Sitecore zero-day for initial access
blogs_bleepingcomputer·2026-01-16·CVSS 9.0
[CRITICAL] China-linked hackers exploited Sitecore zero-day for initial access
## China-linked hackers exploited Sitecore zero-day for initial access
## Bill Toulas
An advanced threat actor tracked as UAT-8837 and believed to be linked to China has been focusing on critical infrastructure systems in North America, gaining access by exploiting both known and zero-day vulnerabilities.
The hacker group has been active since at least 2025, and its purpose appears to be mainly to obtain initial access to targeted organizations, Cisco Talos researchers say in a report today.
In a previous report, the same researchers noted that another China-linked actor tracked internally as UAT-7290 and active since at least 2022, is also tasked with obtaining access. However, they note that the attacker is involved in espionage activity, too.
UAT-8837 attacks typically start with l
Huntress
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits
blogs_huntress·2025-10-02
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits
Cloudflare Turnstile challenges leading to MetaStealer. Deepfake meetings impersonating company executives, which trick employees into downloading malicious extensions. Exposed ASP.NET machine keys that open the door for ViewState deserialization attacks against company servers.
These are only a few snapshots of the techniques that threat actors have been relying on in 2025 so far. In our most recent Tradecraft Tuesday episode – The Craftiest Trends, Scams, and Tradecraft of 2025 (So Far) – John Hammond and Greg Linares with Huntress dove into the top types of tricky tradecraft that threat actors are using to target businesses.
## ClickFix: The attack we’ve seen everywhere
ClickFix has been around since last year. But in 2025, attackers continued to put new spins on the crafty social en
Bleepingcomputer
Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
blogs_bleepingcomputer·2025-09-09·CVSS 8.8
[HIGH] Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
## Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days
## Lawrence Abrams
41 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
22 Remote Code Execution Vulnerabilities
16 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
1 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released on Patch Tuesday.
Therefore, the number of flaws does not include three Azure, one Dynamics 365 FastTrack Implementation Assets, two Mariner, five Microsoft Edge, and 1 Xbox vulnerabilities fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5065426 & KB5065431 cumulative updat
Checkpoint
8th September – Threat Intelligence Report
blogs_checkpoint·2025-09-08
CVE-2025-55177 8th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
A supply chain breach involving Salesloft’s Drift integration to Salesforce exposed sensitive customer data from multiple organizations, including Cloudflare, Zscaler, Palo Alto Networks, and Workiva. The attackers accessed Salesforce CRM systems via compromised OAuth tokens, stealing contact details, account records, s
Bleepingcomputer
Hackers exploited Sitecore zero-day flaw to deploy backdoors
blogs_bleepingcomputer·2025-09-04·CVSS 9.0
CVE-2025-53690 [CRITICAL] Hackers exploited Sitecore zero-day flaw to deploy backdoors
## Hackers exploited Sitecore zero-day flaw to deploy backdoors
## Bill Toulas
Threat actors have been exploiting a zero-day vulnerability in legacy Sitecore deployments to deploy WeepSteel reconnaissance malware.
The flaw, tracked under CVE-2025-53690, is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2017 Sitecore guides.
Some customers reused this key in production, allowing attackers with knowledge of the key to craft valid, but malicious '_VIEWSTATE' payloads that tricked the server into deserializing and executing them, leading to remote code execution (RCE).
The flaw isn't a bug in ASP.NET itself, but a misconfiguration vulnerability created by reusing publicly documented keys that were never meant for production.
## Ex
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
Threat Intel
UAT-8837
threat_intel·CVSS 9.0
CVE-2025-53690 [CRITICAL] UAT-8837
# Threat Actor: UAT-8837
## Description
UAT-8837 is a sophisticated China-linked APT group exploiting critical zero-day vulnerabilities, such as CVE-2025-53690 in the Sitecore platform, to achieve remote code execution and deploy the WeepSteel backdoor for espionage and data exfiltration. The group targets high-value enterprise and government sectors, focusing on public-facing applications to gain initial access and conducting stealthy reconnaissance. UAT-8837 employs techniques like privilege escalation by creating administrative accounts and is linked to targeted intrusions aimed at credential harvesting and internal reconnaissance.
Huntress
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits | Huntress
blogs_huntress
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits | Huntress
Cloudflare Turnstile challenges leading to MetaStealer. Deepfake meetings impersonating company executives, which trick employees into downloading malicious extensions. Exposed ASP.NET machine keys that open the door for ViewState deserialization attacks against company servers.
These are only a few snapshots of the techniques that threat actors have been relying on in 2025 so far. In our most recent Tradecraft Tuesday episode – The Craftiest Trends, Scams, and Tradecraft of 2025 (So Far) – John Hammond and Greg Linares with Huntress dove into the top types of tricky tradecraft that threat actors are using to target businesses.
## ClickFix: The attack we’ve seen everywhere
ClickFix has been around since last year. But in 2025, attackers continued to put new spins on the crafty social en
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
## September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorizatio
2025-09-03
Published
2025-09-04
Added to CISA KEV
Exploited in the wild