A critical security vulnerability has been identified in Sitecore deployments that leveraged a sample machine key from old deployment guides (2017 and earlier). Tracked as CVE-2025-53690, this flaw affects multiple versions of Sitecore products, including Sitecore XP 9.0 and Active Directory 1.4 and earlier. The exposure could enable an attacker with knowledge of the machine key to perform a ViewState deserialization attack, resulting in unauthenticated remote code execution.
This attack was discovered and disrupted by Mandiant Threat Defense, which provided insights into a full attack lifecycle. The attacker leveraged the initial compromise to deploy internal reconnaissance tools and achieve lateral movement via a sophisticated set of open-source tools.
Summary
Vulnerability: ViewState Deserialization attack due to the use of an exposed ASP.NET machine key.
CVE: CVE-2025-53690
Impact: Unauthenticated remote code execution, privilege escalation, internal reconnaissance, data exfiltration i.e. web.config, and lateral movement.
Affected Versions: Sitecore XP 9.0 and Active Directory 1.4 and earlier versions using the sample machine key.
Severity: Critical
Fix: Sitecore has updated deployment guides to generate unique machine keys. Affected customers should refer to Sitecore’s advisory.
How the attack works
The core of this vulnerability is a ViewState Deserialization attack. ViewState is an ASP.NET feature that persists the state of webpages by storing data in a hidden HTML field. This data is encrypted and protected by a unique machine key. In this case, Mandiant discovered that an attacker was able to exploit instances of Sitecore that were deployed using an outdated deployment guide that publicly exposed the sample machine key.
The attacker's knowledge of this exposed machine key allowed them to craft a malicious ViewState payload. Tools like the open-source project ysoserial.NET can be used to generate such payloads. By sending a POST request to a legitimate, unauthenticated Sitecore endpoint (/sitecore/blocked.aspx), which uses a hidden ViewState field, the attacker successfully executed a payload on the web server, leading to remote code execution. This initial compromise provided a foothold with NETWORK SERVICE privileges, which the attacker then used to escalate access and conduct internal reconnaissance with a suite of sophisticated tooling.
Exploitation in the wild
The attack was successfully leveraged by a threat actor to achieve remote code execution and perform privilege escalation. The attacker's deep understanding of the compromised product was evident in their progression from initial server compromise to privilege escalation. The attacker first deployed WEEPSTEEL, a reconnaissance backdoor designed to gather system, network, and user information. This data was then encrypted and exfiltrated, disguised in a hidden HTML field as a _ViewState parameter. Following this initial foothold, the threat actor deployed a suite of open-source tools to expand their access and perform reconnaissance of the internal network. They used EARTHWORM for network tunneling, DWAGENT for persistent remote access, and SHARPHOUND for Active Directory reconnaissance.
What makes this so dangerous
This vulnerability combines several high-risk factors that make it a critical threat:
- Unauthenticated exploitation: The initial compromise was performed without any authentication, targeting an internet-facing endpoint.
- Use of open-source tools: The threat actor relied on a suite of easily accessible and widely available open-source tools to escalate privileges and perform reconnaissance.
- Sophisticated attack chain: The attacker demonstrated a deep understanding of the system, progressing from an initial remote code execution to deploying reconnaissance tools, stealing credentials, and achieving lateral movement.
- Machine key compromise: The core issue stems from a design flaw in which an exposed machine key, once considered a low-priority issue, enabled a full system compromise.
Remediation and its complexities
Sitecore has confirmed that its modern deployments automatically generate a unique machine key. However, this issue affects older deployments that may still be using the publicly exposed key. Mandiant recommends that all customers who deployed a potentially vulnerable version of Sitecore immediately consult the official advisory for detailed remediation instructions.
A key challenge remains: The complexity of securing legacy systems and the reliance on outdated deployment practices. Organizations must proactively identify if their instances are vulnerable and apply security best practices beyond the initial fix.
Mitigation steps and best practices
1. Review your deployment configurations: Audit your Sitecore deployments to confirm whether a default or sample machine key was used. Update it with a uniquely generated key immediately.
2. Enable View State MAC: Enable View State Message Authentication Code (MAC) to ensure the integrity of ViewState payloads.
3. Encrypt secrets: Encrypt any plaintext secrets, such as database connection strings and credentials, within the web.config file.
4. Harden your systems: Implement security best practices to reduce your attack surface, such as restricting unnecessary network access and monitoring for unusual host and network reconnaissance activity.
Continuous detection
Security teams should actively monitor for indicators of compromise related to this attack. This includes watching for unusual POST requests to the blocked.aspx endpoint, the creation of new administrator accounts (asp$ and sawadmin), and the execution of reconnaissance tools like SHARPHOUND. Early detection is key to containing the threat and preventing lateral movement and complete network compromise.
Final thoughts
CVE-2025-53690 highlights a critical lesson in cybersecurity: a seemingly minor configuration issue, such as an exposed sample machine key, can be the key to unlocking a full system compromise. The use of ViewState Deserialization as an attack vector and the sophisticated post-exploitation activity demonstrate the level of understanding and skill that modern adversaries possess. Administrators must act immediately to review their Sitecore configurations and implement security best practices to prevent these types of attacks.
{{cta-demo}}
