Security analysts at the Mandiant Threat Defense team have disrupted an attack exploiting a zero-day vulnerability in Sitecore, a popular content management system (CMS) used by companies such as HSBC, L’Oréal, Toyota and United Airlines.
In a report published on September 3, Mandiant, part of Google Cloud, said that the attack leveraged exposed ASP.NET machine keys in Sitecore deployment guides from 2017 and earlier to perform remote code execution (RCE).
ASP.NET is a web application framework developed by Microsoft for building dynamic websites, web apps and application programming interfaces (APIs). ASP.NET machine keys are cryptographic keys used to secure critical operations in ASP.NET applications.
These machine keys were exposed because of a ViewState deserialization vulnerability in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP).
Ryan Dewhurst, head of proactive threat intelligence at WatchTowr, commented: “The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones – a move we don’t recommend.”
Mandiant reported the flaw to Sitecore. Wiz, a common vulnerabilities and exposures (CVE) numbering authority (CNA), disclosed it publicly on September 3 as CVE-2025-53690, with a severity score (CVSS) rating of 9.0 (critical).
When exploited, CVE-2025-53690 allows code injection in Sitecore XM and Sitecore XP up to version 9.0.
Mandiant stated that the vulnerability affects customers who deployed any version of multiple Sitecore products using the sample key exposed in publicly available deployment guides (specifically Sitecore XP 9.0 and Active Directory 1.4 and earlier versions).
Attack Chain Exploiting Sitecore Flaw
Mandiant’s rapid response team disrupted the attack before its full lifecycle could be observed, but the investigation still uncovered key adversary tactics.
The threat actor demonstrated sophisticated knowledge of the targeted product and its vulnerabilities, executing a methodical attack chain:
- Initial Access: Exploited CVE-2025-53690 on an internet-facing Sitecore instance, achieving RCE
- Reconnaissance and data theft: Deployed WEEPSTEEL malware via a decrypted ViewState payload for internal reconnaissance; archived the web application’s root directory, likely targeting sensitive files, such as web.config; conducted host and network reconnaissance
- Persistence: Placed additional tooling in a public directory, including EARTHWORM (open-source network tunneling), DWAGENT (open-source remote access trojan) and SHARPHOUND (open-source AD reconnaissance)
- Privilege escalation and lateral movement: Created local admin accounts and dumped SAM/SYSTEM hives to harvest cached credentials; used RDP for lateral movement after credential compromise; maintained persistence via DWAGENT while conducting Active Directory reconnaissance
Attack Impact Still Unknown
Sitecore informed Mandiant that its latest deployments now automatically generate unique machine keys and impacted customers have been notified.
The CMS provider also released a security advisory on September 3 advising its customers on how to mitigate this threat.
Caitlin Condon, VP of security research at VulnCheck, said this attack is another piece of evidence that “threat actors definitely read documentation.”
“The zero-day vulnerability arises from both the insecure configuration itself (i.e. use of the static machine key) and the public exposure. Defenders who even slightly suspect they might be affected should rotate their machine keys immediately and ensure, wherever possible, that their Sitecore installations are not exposed to the public internet,” she advised.
However, she also highlighted that rotating keys and locking down configurations aren’t enough on their own if threat actors were able to gain access to an organization’s network.
“Security and threat hunting teams will need to examine environments for signs of compromise, particularly since Mandiant’s investigation found the threat actor had deployed malware and additional tooling geared toward internal reconnaissance and persistence across one or more compromised environments,” she added.
WatchTowr’s Dewhurst said that, at this stage, the blast radius of the attack remains unknown.
“But this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will,” he argued.
This new attack comes three months after WatchTowr revealed seven vulnerabilities in Sitecore products that could be chained in a large-scale attack.
