Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity.
“Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.
“This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.”
Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team did not link the activity to a known threat actor or group.
“The attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation,” researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng said.
The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech giant observing limited exploitation activity dating back to December 2024, in which unknown threat actors leveraged the key to deliver the Godzilla post-exploitation framework.
Then in May 2025, ConnectWise disclosed an improper authentication flaw impacting ScreenConnect (CVE-2025-3935, CVSS score: 8.1) that it said had been exploited in the wild by a nation-state threat actor to conduct ViewState code injection attacks targeting a small set of customers.
As recently as July, the Initial Access Broker (IAB) known as Gold Melody was attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and sell that access to other threat actors.
In the attack chain documented by Mandiant, CVE-2025-53690 is weaponized to achieve initial compromise of the internet-facing Sitecore instance, leading to the deployment of a combination of open-source and custom tools to facilitate reconnaissance, remote access, and Active Directory reconnaissance.
The ViewState payload delivered using the sample machine key specified in publicly available deployment guides is a .NET assembly dubbed WEEPSTEEL, which is capable of gathering system, network, and user information, and exfiltrating the details back to the attacker. The malware borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py.
With the access obtained, the attackers have been found to establish a foothold, escalate privileges, maintain persistence, conduct internal network reconnaissance, and move laterally across the network, ultimately leading to data theft. Some of th…