CVE-2025-53690
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-10-30

Assigner: Wiz

Description
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-53690
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
sitecore experience_commerce to 9.0 (inc)
sitecore experience_manager to 9.0 (inc)
sitecore experience_platform to 9.0 (inc)
sitecore managed_cloud *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-53690 is a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) up to version 9.0. It involves deserialization of untrusted ViewState data due to the use of publicly known sample ASP.NET machine keys. Attackers can craft malicious ViewState payloads that bypass integrity and confidentiality protections, allowing remote code execution on internet-facing Sitecore instances. This enables attackers to execute arbitrary code, deploy malware, and gain unauthorized access to the system. [1]

Impact Analysis

This vulnerability can lead to severe impacts including remote code execution on the affected Sitecore server, initial compromise with NETWORK SERVICE privileges, deployment of reconnaissance malware (WEEPSTEEL) to gather system and network information, privilege escalation by creating local administrator accounts, persistent remote access via legitimate remote access tools, extensive Active Directory reconnaissance, credential theft, lateral movement across the network using compromised credentials, and potential data exfiltration. Overall, it can result in full system compromise and significant security breaches. [1]

Detection Guidance

Detection can involve monitoring for exploitation attempts targeting the unauthenticated /sitecore/blocked.aspx endpoint with malicious ViewState POST requests. Indicators include presence of suspicious files in public directories such as 7za.exe, EARTHWORM, DWAGENT, SHARPHOUND, and VBScript files used to execute commands. Commands to check for attacker activity include standard Windows commands observed in reconnaissance: whoami, net user, ipconfig, netstat. Additionally, look for creation of local administrator accounts named asp$ and sawadmin, and check for disabled password expiration on admin accounts. [1]

Mitigation Strategies

Immediate mitigation steps include implementing ASP.NET security best practices such as automated machine key rotation, enabling ViewState Message Authentication Code (MAC) validation, and encrypting plaintext secrets in web.config files. Also, ensure that unique machine keys are generated automatically in Sitecore deployments to prevent use of publicly known sample keys. Monitoring and removing any unauthorized local administrator accounts and suspicious tools is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-53690. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart