The Federal Civil Enforcement Division (FCEB) agency is advised to update its Sitecore instances by September 25, 2025.
The vulnerability tracked as CVE-2025-53690 features a CVSS score of up to 9.0 out of 10.0, indicating critical severity.
“Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain de-iralization of untrusted data vulnerabilities, including using default machine keys,” says the US Cybersecurity and Infrastructure Security Agency (CISA).
“This flaw allows attackers to exploit exposed ASP.NET machine keys to enable remote code execution.”
Mandiant, owned by Google, discovered the Active ViewState star-start attack, said the activity utilized sample machine keys published in the Sitecore deployment guide since before 2017. The Threat Intelligence Team did not link activities to known threat actors or groups.
“Attackers’ deep understanding of compromised products and exploited vulnerabilities was evident in the progression from early server compromise to escalation of privilege,” said researchers Rommel Joven, Josh Fleischer, Joseph Seit, Andy Sloak and Chong Kiat Nag.
The publicly published ASP.NET machine key abuse was first documented by Microsoft in February 2025, with the technology giant observing limited exploitation activities dating back to December 2024.
Subsequently, in May 2025, ConnectWise disclosed an inappropriate authentication flaw affecting ScreenConnect (CVE-2025-3935, CVSS score: 8.1).
Like July, the first access broker (IAB), known as Gold Melody, was attributed to a campaign that leaked ASP.NET keys to gain unauthorized access to organizations and sold other threat access.
In the attack chain documented by Mandiant, CVE-2025-53690 will be weaponized to enable initial compromises for Sitecore instances for the Internet, facilitating the deployment of a combination of open source and custom tools, remote access, and active directory reconnaissance.
The ViewState payload, delivered using the sample machine key specified in the published deployment guide, is a .NET assembly called WeepSteel that can collect system, network and user information and return details to the attacker. The malware borrows some of its functionality from an open source Python tool named Exchangecmdpy.py.
Once access was obtained, the attacker found that it would establish a foothold, escalate privileges, maintain persistence, carry out internal network reconnaissance, move laterally across the network, ultimately leading to data theft. Some of the tools used in these phases are listed below –
Active Directory Controller for Persistent Remote Access and Active Directory Recon for Socks for Earth Way Gents in Network Tunnels, Identifies Domain Controllers in the target network for Active Directory Recon, lists unique user tokens in the system, executes commands using the user’s tokens, lists all running users and related users’ remote remote desks.
It has also been observed that threat actors create local administrator accounts (ASP $ and SAWADMIN) to gain access to administrator credentials and to discard the SAM/system hives to promote lateral movement through RDP.
“As the admin account was compromised, the previously created ASP$ and Sawadmin accounts were deleted, indicating a shift towards a more stable and secure way of access,” Mandiant added.
To combat the threat, organizations recommend rotating the ASP.NET machine key, lock down the configuration, and scan the environment for signs of compromise.
“The result of CVE-2025-53690 is that somewhere an enterprising threat actor is using a static ASP.NET machine key published in the product documentation.
“The zero-day vulnerability arises from both the unstable configuration itself (i.e. the use of keys on static machines) and public exposure. And so that threat actors can definitely read the documentation, advocates who are likely to be affected should quickly rotate the machine keys and ensure, wherever possible, that Sitecore installations are not publicly available.”
Ryan Dewhurst, head of aggressive threat intelligence at WatchTowr, said the issue was a result of Sitecore customers copying and pasting keys from official documents rather than generating something unique and random.
“Deployments running using these known keys remained exposed to viewing attacks, a direct path to remote code execution (RCE),” Dewhurst added.
“Sitecore has confirmed that new deployments automatically generate keys and contact all affected customers. The blast radius remains unknown, but this bug usually shows all the characteristics that define a serious vulnerability.
Source link
