Google Warns of Zero-Day Vulnerability in Sitecore Products Allowing Remote Code Execution

Cybersecurity

A critical zero-day vulnerability has been identified in several Sitecore products, allowing potential remote code execution by attackers. The vulnerability, CVE-2025-53690, is attributed to a ViewState deserialization flaw and is currently exploited in the wild.

Investigations have revealed that attackers leverage exposed ASP.NET machine keys from Sitecore deployment guides dating back to 2017 and earlier. These keys enable the bypassing of validation mechanisms, allowing attackers to send malicious ViewState payloads to servers, resulting in remote code execution.

Sitecore has recognized the vulnerability, labeled as SC2025-005, impacting customers who used the sample machine key from outdated deployment guides. In response, Sitecore has updated its deployment process to automatically generate unique machine keys and has alerted affected customers.

Impacted Products and Attack Details

The vulnerability potentially affects several Sitecore products, including:

• Experience Manager (XM)
• Experience Platform (XP)
• Experience Commerce (XC)
• Managed Cloud

Products such as XM Cloud, Content Hub, and OrderCloud are not affected. Sitecore urges customers to consult their official advisory for a complete list and guidance.

Mandiant’s investigation revealed that the attack began with the exploitation of the ViewState deserialization vulnerability on an internet-facing Sitecore instance. The attacker employed custom malware, WEEPSTEEL, for internal reconnaissance. This malware, embedded in a decrypted ViewState payload, gathered system, network, and user information, which was then encrypted and exfiltrated.

Following the initial compromise, the attacker used several open-source tools to extend their access, including:

• EARTHWORM: A network tunneling tool for covert command-and-control channels.
• DWAGENT: A tool for persistent remote access.
• SHARPHOUND: An Active Directory reconnaissance tool.

The threat actor escalated privileges by creating local administrator accounts and attempted to dump credentials from the SAM/SYSTEM hives to facilitate lateral movement via the Remote Desktop Protocol (RDP). To maintain access, they installed DWAGENT as a service and altered account settings to prevent password expiration.

Mitigations

Mandiant recommends all Sitecore customers review their environments and adopt ASP.NET security best practices. This includes automating machine key rotation, enabling ViewState Message Authentication Code (MAC), and encrypting plaintext secrets.

Sitecore has issued detailed remediation instructions in its official advisory (SC2025-005). The company strongly advises customers to ensure their environments are running security-supported versions and to apply all available security fixes promptly.

This vulnerability underscores the risks of using default or sample configurations in production environments and highlights the necessity for continuous security monitoring and proactive patching.