ViewState Deserialization Zero-Day in Sitecore Products — CVE-2025-53690

TL;DR

Mandiant discovered an active ViewState deserialization attack against Sitecore instances that relied on a sample ASP.NET machine key published in older Sitecore deployment guides. The flaw enabled remote code execution and led to reconnaissance and post‑exploitation activity; Sitecore and Mandiant coordinated response and affected customers were notified.

What happened

Mandiant Threat Defense investigated an active exploitation chain in which attackers leveraged a publicly exposed example ASP.NET machine key from older Sitecore deployment guides to craft malicious ViewState payloads. The actor targeted a publicly accessible Sitecore page (/sitecore/blocked.aspx) with a crafted __VIEWSTATE POST, bypassing validation because the sample machine key allowed correct payload signing. Successful payloads produced remote code execution and dropped a .NET assembly Mandiant calls WEEPSTEEL, a reconnaissance tool that collected system and network data and encoded results into a __VIEWSTATE-like response. The intruder archived the web application root to obtain configuration files including web.config, staged open-source tooling (EARTHWORM, DWAgent, SharpHound), created local administrator accounts, dumped SAM/SYSTEM hives, and used compromised credentials to move laterally via RDP. Mandiant disrupted the operation during incident response and worked with Sitecore; Sitecore tracks the configuration issue as CVE-2025-53690 and reports updated deployments now generate unique machine keys.

Why it matters

• Reusing or publishing sample machine keys removes ViewState integrity protections and can enable remote code execution against ASP.NET applications.
• Publicly accessible Sitecore endpoints that include a hidden __VIEWSTATE field can be weaponized when validation keys are known.
• Attackers combined deserialization exploitation with open-source tooling to establish persistence, tunnel traffic, and perform Active Directory reconnaissance, increasing the risk of broader domain compromise.
• Organizations using deployment guidance from older documentation may unknowingly retain insecure configurations that bypass critical protections.

Key facts

• Vulnerability tracked as CVE-2025-53690.
• Mandiant observed active exploitation leveraging a sample machine key exposed in Sitecore deployment guides from 2017 and earlier.
• Affected deployments include customers who used the exposed sample key; Sitecore specifically cited Sitecore XP 9.0 and Active Directory 1.4 and earlier versions as relevant.
• Attack began with an HTTP POST to /sitecore/blocked.aspx and corresponding ViewState verification failures recorded in Windows event logs (Event ID 1316).
• Decrypted malicious ViewState contained a .NET assembly named Information.dll, tracked by Mandiant as WEEPSTEEL, used for host reconnaissance and exfiltration disguised as __VIEWSTATE data.
• Threat actor staged tools in public directories, including EARTHWORM (tunneler) and DWAgent (remote access); SHA-256 hashes for two staged files were reported in the investigation.
• EARTHWORM was observed initiating reverse SOCKS proxy connections to C2 addresses 130.33.156[.]194:443 and 103.235.46[.]102:80.
• The actor created local administrator accounts, dumped SAM/SYSTEM hives to attempt cached credential compromise, and performed lateral movement via RDP.
• Mandiant disrupted the attack during rapid response and coordinated remediation with Sitecore; Sitecore says updated deployments automatically generate unique machine keys and affected customers were notified.

What to watch next

• Windows Application event logs for ASP.NET ViewState verification failures (Event ID 1316) and unexpected persistedState entries.
• Unusual or repeated HTTP POST requests to Sitecore pages that contain hidden __VIEWSTATE fields (for example /sitecore/blocked.aspx).
• Unexpected files or tooling in public directories (e.g., C:UsersPublicMusic or Video) and evidence of 7za, tunneling tools, or remote access agents being written to those locations.
• Details about reported GoTokenTheft usage: not confirmed in the source.

Quick glossary

• ViewState: An ASP.NET mechanism that preserves page and control state between postbacks by encoding data into a hidden __VIEWSTATE form field.
• Machine key: A cryptographic key used by ASP.NET to sign and/or encrypt ViewState and other protected data; if exposed, it can enable forgery of signed payloads.
• Remote code execution (RCE): A class of vulnerability that allows an attacker to execute arbitrary code on a target system.
• web.config: An ASP.NET application configuration file that can contain sensitive settings, connection strings, and cryptographic keys.
• Lateral movement: Post-compromise activity where attackers use harvested credentials or remote access to move from an initially compromised host to other systems within a network.

Reader FAQ

Which Sitecore versions are affected?
Sitecore says customers who deployed any version using the sample key exposed in public guides are potentially impacted; the advisory specifically mentions Sitecore XP 9.0 and Active Directory 1.4 and earlier versions.

Has Sitecore released a patch?
Sitecore reports that updated deployments automatically generate unique machine keys and that affected customers have been notified; no additional patch details are provided in the source.

What tooling did the attacker use?
Mandiant observed a custom .NET reconnaissance assembly called WEEPSTEEL and staged open-source tools including EARTHWORM (tunneler), DWAgent (remote access), and SharpHound (AD reconnaissance).

Was the incident contained?
Mandiant states it disrupted the attack during rapid response and prevented observation of the full attack lifecycle, but scope of compromise beyond the investigated host is not detailed in the source.

Written by: Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, Choon Kiat Ng Update (September 3): This post was updated to include information about GoTokenTheft usage. In a recent investigation,…

Sources

• ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)
• CVE-2025-53690 Detail – NVD
• Critical ViewState Deserialization Zero-Day in Sitecore …
• Security Bulletin SC2025-005

Related posts

• BRICKSTORM Backdoor Targeting Tech and Legal Sectors, Google and Mandiant Warn
• UNC6040 vishing attacks: Proactive hardening and detection for SaaS
• Oracle E-Business Suite Zero-Day Used in Large-Scale Extortion Campaign