CVE-2025-53690: Remote Code Execution in Sitecore Platforms
Introduction
Identified on September 3, 2025, CVE-2025-53690 is a critical flaw affecting multiple products within the Sitecore platform. The vulnerability consists of an untrusted data deserialization issue in the ASP.NET ViewState mechanism. It is exploited via a static key exposed in legacy Sitecore documentation, allowing an unauthenticated attacker to execute code remotely on vulnerable instances.
CVE-2025-53690 is currently being actively exploited in the wild, which led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog.
Affected Versions
This vulnerability does not reside in a specific software version but rather in an insecure configuration. Implementations at risk are those that used a static and public machineKey provided in legacy Sitecore installation guides.
The table below details the potentially impacted products:
Product | Affected Versions |
Sitecore Experience Manager (XM) | All versions up to 9.0 |
Sitecore Experience Platform (XP) | All versions up to 9.0 |
Sitecore Experience Commerce (XC) | All multi-instance versions with customer-managed keys |
Sitecore Managed Cloud | Standard environments with Containers in multi-instance mode |
Technical Details
The exploitation of CVE-2025-53690 fundamentally depends on a configuration flaw, transforming an insecure implementation practice into a vector for Remote Code Execution (RCE).
Root Cause
The root cause of the vulnerability is the use of a static ASP.NET machineKey in production environments. This key was publicly disclosed in Sitecore installation guides dating back to 2017 and earlier. ASP.NET uses the machineKey to ensure the integrity and confidentiality of data such as the ViewState, which stores the state of a web page.
When an attacker knows this static key, they can generate a malicious ViewState payload, sign it with the key, and send it to the server. The server, in turn, trusts the signature because the key matches the one configured in its web.config file. Consequently, the application deserializes the malicious object contained within the ViewState, executing the injected code within the network service context.
Preconditions
For the exploitation to be successful, the following conditions must be met:
Internet Exposure: The Sitecore instance must be exposed to the internet.
Vulnerable Configuration: The environment must use the static, public
machineKeyfound in legacy documentation. This is not a default configuration in recent installations.
No level of privilege or authentication is required for the initial attack.
Exploitation Process
The exploitation process begins with the attacker identifying a vulnerable Sitecore instance. Research indicates that attackers focus their attempts on the /sitecore/blocked.aspx endpoint, a page that utilizes a hidden ViewState form field.
Payload Generation: A tool like ysoserial.net is used to generate a serialized payload. This payload is typically a .NET object that, upon deserialization, executes a command on the server. In observed attacks, the payload contained a reconnaissance malware known as WEEPSTEEL.
Injection: The malicious payload is inserted into the
__VIEWSTATEfield of an HTTP POST request directed at the vulnerable page.Execution: Because the payload is signed with a
machineKeythat the server recognizes as valid, the application processes it without suspicion, leading to remote code execution.
Below is a conceptual example of how a payload could be sent:
POST /sitecore/blocked.aspx HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded
__VIEWSTATE=[payload serializado e assinado com a chave estática]
Following initial access, attackers have been observed performing privilege escalation to SYSTEM or ADMINISTRATOR levels. They typically install tunneling tools such as EARTHWORM to establish persistence and conduct extensive reconnaissance within the Active Directory (AD) environment.
Public Exploits
While "one-click" weaponized exploits have not yet been identified in the wild, Proof of Concepts (PoCs) and Nuclei templates have already been developed. these facilitate the automated detection of the vulnerability, significantly increasing the risk of mass-scale attacks.
- Reference: Nuclei Templates Issue #13111
Mitigations
The primary recommendation is to immediately replace the static machineKey with a unique, strong, and automatically generated key. Sitecore has updated its deployment processes to ensure unique keys are generated by default and has published an official security advisory (SC2025-005) with detailed instructions.
Indicators of Compromise (IoCs)
To assist in detection efforts, security teams should monitor for the following activity:
Network Traffic: Abnormal or high-volume requests to the
/sitecore/blocked.aspxendpoint.Account Creation: Suspicious new user accounts on the server, such as
asp$orsawadmin.Files/Processes: Presence of files or processes related to WEEPSTEEL malware or the EARTHWORM tunneling tool in public application directories.
Detection Rules: Mandiant has published a YARA rule specifically for detecting WEEPSTEEL malware.
Conclusion
CVE-2025-53690 is a critical vulnerability that highlights the dangers of insecure configurations, even within robust enterprise software. The combination of active exploitation and the availability of public scanning templates makes it urgent for organizations to verify their Sitecore implementations and apply necessary fixes. A rapid response is essential to prevent remote code execution and full system compromise.
Disclaimer: This article is for informational purposes only. All techniques described herein should only be used ethically and legally within controlled environments and with proper authorization.
Take your security to the next level: If you want to test your systems' resilience effectively, we invite you to host a hacking tournament at Bypassec, a platform where over 100 ethical hackers are ready to identify vulnerabilities in your environment before the bad actors do.
