CVE-2025-53690
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-10-30
Assigner: Wiz
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sitecore | experience_commerce | to 9.0 (inc) |
| sitecore | experience_manager | to 9.0 (inc) |
| sitecore | experience_platform | to 9.0 (inc) |
| sitecore | managed_cloud | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53690 is a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) up to version 9.0. It involves deserialization of untrusted ViewState data due to the use of publicly known sample ASP.NET machine keys. Attackers can craft malicious ViewState payloads that bypass integrity and confidentiality protections, allowing remote code execution on internet-facing Sitecore instances. This enables attackers to execute arbitrary code, deploy malware, and gain unauthorized access to the system. [1]
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including remote code execution on the affected Sitecore server, initial compromise with NETWORK SERVICE privileges, deployment of reconnaissance malware (WEEPSTEEL) to gather system and network information, privilege escalation by creating local administrator accounts, persistent remote access via legitimate remote access tools, extensive Active Directory reconnaissance, credential theft, lateral movement across the network using compromised credentials, and potential data exfiltration. Overall, it can result in full system compromise and significant security breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for exploitation attempts targeting the unauthenticated /sitecore/blocked.aspx endpoint with malicious ViewState POST requests. Indicators include presence of suspicious files in public directories such as 7za.exe, EARTHWORM, DWAGENT, SHARPHOUND, and VBScript files used to execute commands. Commands to check for attacker activity include standard Windows commands observed in reconnaissance: whoami, net user, ipconfig, netstat. Additionally, look for creation of local administrator accounts named asp$ and sawadmin, and check for disabled password expiration on admin accounts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing ASP.NET security best practices such as automated machine key rotation, enabling ViewState Message Authentication Code (MAC) validation, and encrypting plaintext secrets in web.config files. Also, ensure that unique machine keys are generated automatically in Sitecore deployments to prevent use of publicly known sample keys. Monitoring and removing any unauthorized local administrator accounts and suspicious tools is also recommended. [1]