The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed Federal Civilian Executive Branch (FCEB) agencies to urgently patch their Sitecore systems by September 25, 2025, after confirming that a critical flaw is actively being exploited.
Details of the Vulnerability
The flaw, tracked as CVE-2025-53690, holds a CVSS score of 9.0, marking it as highly critical.
According to CISA, multiple Sitecore products — including Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud — are vulnerable to a deserialization of untrusted data issue linked to default ASP.NET machine keys.
This weakness enables attackers to exploit exposed machine keys and achieve remote code execution (RCE).
Discovery and Exploitation Path
Threat intelligence experts at Mandiant discovered that attackers are abusing sample machine keys published in outdated Sitecore deployment guides (2017 and earlier). While the attackers remain unattributed, their techniques show deep expertise in Sitecore’s internal workings, escalating from initial compromise to privilege escalation.
- In February 2025, Microsoft first reported the abuse of exposed ASP.NET keys, noting limited exploitation attempts dating back to December 2024, where adversaries deployed the Godzilla post-exploitation framework.
- In May 2025, ConnectWise disclosed another vulnerability (CVE-2025-3935, CVSS 8.1) in ScreenConnect, exploited by a suspected nation-state actor for ViewState injection attacks.
- By July 2025, Initial Access Broker (IAB) Gold Melody was seen selling unauthorized access gained through leaked ASP.NET keys.
Attack Techniques and Tools Used
Mandiant’s analysis shows attackers using CVE-2025-53690 to breach internet-facing Sitecore servers, then deploying a blend of custom and open-source tools for reconnaissance, persistence, and lateral movement.
Key findings:
- WEEPSTEEL Malware: A .NET assembly payload, delivered using exposed machine keys, capable of gathering system, network, and user data. It shares code similarities with the open-source tool ExchangeCmdPy.py.
- EarthWorm: Used for network tunneling via SOCKS.
- DWAgent: Provided persistent remote access and Active Directory reconnaissance.
- SharpHound: Collected Active Directory data.
- GoTokenTheft: Enumerated user tokens, executed commands, and analyzed running processes.
- RDP (Remote Desktop Protocol): Enabled lateral movement across the network.
Attackers also created local administrator accounts (“asp$” and “sawadmin”) to dump SAM/SYSTEM hives, gaining admin credentials. These accounts were later removed after attackers established more stable access methods.
Recommended Mitigations
Security experts recommend organizations to:
- Rotate ASP.NET machine keys immediately.
- Restrict external exposure of Sitecore systems.
- Harden configurations against misuse.
- Scan environments for compromise indicators.
According to VulnCheck’s Caitlin Condon, the vulnerability stems from both insecure configurations (use of static keys) and public exposure, highlighting that threat actors actively study product documentation for weaknesses.
Ryan Dewhurst of watchTowr added that the issue mainly arises because customers copied sample keys from documentation instead of generating unique ones. New Sitecore deployments now generate random keys by default, but older setups remain at risk.
“Any deployment running with these known keys is directly exposed to ViewState deserialization attacks, a straight path to Remote Code Execution (RCE),” Dewhurst warned.
The full impact of this flaw is still being assessed, but experts caution that its severity places it among the most dangerous vulnerabilities disclosed in 2025.
