A new zero-day vulnerability has been discovered in Sitecore, and attackers are already taking advantage of it. The flaw is tracked as CVE-2025-53690 and has been linked to active exploitation in the wild. Security researchers from Mandiant revealed that hackers are using this weakness to run malicious code on vulnerable servers, giving them a direct way to break into Sitecore environments.

The vulnerability lies in the way Sitecore uses ASP.NET’s ViewState. Normally, ViewState data is protected with a secret machineKey, but Sitecore’s older documentation included a sample key. Unfortunately, many administrators copied this key into their real deployments. Because the key is publicly known, attackers can create fake ViewState data that the server mistakenly accepts as legitimate, which then executes harmful code.

The issue is not limited to one product. According to Sitecore, the problem affects Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and some on-premise deployments if they were configured with the sample machineKey. This turns what should have been a safe internal setting into a major backdoor for attackers.

Mandiant observed that attackers are targeting a specific Sitecore page called /sitecore/blocked.aspx. By sending malicious ViewState payloads to this page, they were able to trigger remote code execution. In real-world incidents, the attackers used this technique to install a reconnaissance malware tool named WEEPSTEEL and deployed other utilities like tunneling software and remote access clients to strengthen their foothold.

Once the hackers gained initial access, they quickly escalated their activities. Investigators found evidence of privilege escalation, creation of new local administrator accounts, credential dumping, and tunneling operations. They also moved laterally within the compromised networks, attempting to expand control beyond the initial server. This shows that the attackers were not just testing the flaw but were carrying out full intrusion campaigns.

Sitecore has already responded by releasing an official advisory along with updated guidance for administrators. They worked closely with Mandiant to analyze the attacks and help organizations defend against them. Patches and configuration fixes have been provided, but the responsibility now lies with administrators to act quickly and implement these measures.

The seriousness of this vulnerability has been acknowledged by the wider security community. CVE-2025-53690 has been added to public vulnerability databases and to known-exploited vulnerability lists, which means defenders are urged to treat it with high priority. Some agencies and researchers have also highlighted its critical CVSS rating, reinforcing the urgency of patching.

What makes this case stand out is that it wasn’t caused by a deep flaw in ASP.NET itself, but by a misconfiguration. Using a default or sample key in production may have seemed harmless, but in reality, it gave attackers an easy way in. This highlights how configuration errors can become just as dangerous as undiscovered software bugs.

Organizations running Sitecore are advised to act immediately. They need to rotate any machineKeys that match the sample from older documentation, apply the latest security updates, and carefully review logs for signs of compromise. Specific red flags include ViewState requests to /sitecore/blocked.aspx, creation of new admin accounts, or artifacts linked to WEEPSTEEL and tunneling tools. Following the guidance from both Mandiant and Sitecore can help stop further exploitation.

This incident is a strong reminder that even small oversights can have massive consequences. Default keys, outdated documentation, and ignored configurations can all open doors for attackers. The lesson here is simple but vital: keep systems updated, avoid reusing sample or weak keys, and continuously monitor for unusual activity. In cybersecurity, the basics often make the biggest difference.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news