Threat actors are actively exploiting a zero-day ViewState deserialization vulnerability (CVE-2025-53690) in legacy Sitecore deployments, specifically versions up to 9.0, that reused publicly documented ASP.NET machine keys. This misconfiguration allows remote code execution (RCE) and the deployment of reconnaissance malware like WeepSteel, followed by privilege escalation and data exfiltration tools. The flaw poses a significant cybersecurity risk for affected enterprises, necessitating immediate replacement and encryption of static machine keys to mitigate potential data breaches and operational disruptions.
A significant zero-day vulnerability, tracked as CVE-2025-53690, is being actively exploited in legacy versions of the Sitecore platform (up to version 9.0), presenting a material risk to enterprises running this software. The vulnerability is not an inherent flaw in the software itself but a critical misconfiguration arising from the use of publicly documented sample machine keys in production environments, which allows for remote code execution (RCE). Mandiant's research confirms that threat actors are leveraging this flaw in multi-stage attacks, beginning with the deployment of 'WeepSteel' reconnaissance malware and escalating to privilege escalation, data exfiltration using tools like 'Earthworm' and 'Dwagent', and establishing persistence. The impact is confined to older, self-managed deployments, as modern cloud-native offerings such as XM Cloud are unaffected. This incident underscores the significant and often underestimated security risks associated with technical debt and improper configuration of legacy enterprise systems, placing the onus on customers to perform manual remediation by replacing and encrypting static keys.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
strongly negative
Sentiment Score
-0.70
