A critical zero-day vulnerability, CVE-2025-53690, is being actively exploited in the wild, targeting Sitecore Experience Manager (XM) and Experience Platform (XP) systems deployed with outdated ASP.NET machine keys. Google and Microsoft threat intelligence teams have confirmed that attackers are leveraging ViewState deserialization attacks to achieve remote code execution (RCE), enabling full compromise of vulnerable IIS servers.
Once inside, attackers deploy WeepSteel malware, a reconnaissance and data exfiltration tool that blends into normal traffic by disguising exfiltrated information as benign ViewState responses. Post-exploitation activity includes creating stealthy administrator accounts (e.g., asp$, sawadmin), harvesting credentials, dumping registry hives, and installing persistence mechanisms such as DWAgent remote access tools. Attackers also use open-source utilities like EARTHWORM for covert tunneling and SharpHound for Active Directory reconnaissance, enabling lateral movement across enterprise networks.
The tactics observed mirror state-sponsored threat actor behavior, showing a high degree of sophistication and stealth, including in-memory malware execution and cleanup of disk-resident tools. With over 3,000 machine keys publicly disclosed in repositories, the attack surface is vast, making this a severe supply-chain style risk for organizations that adopted outdated Sitecore deployment guides.
Sitecore has issued mitigation guidance and strongly advises all customers to rotate machine keys, upgrade to supported versions, and perform forensic investigations to ensure no persistence mechanisms remain. Security experts emphasize the urgency of patching, hardening IIS servers, enforcing ViewState MAC validation, and monitoring for suspicious administrator account creation or exfiltration attempts.
This episode unpacks how something as simple as a copied sample machine key can escalate into a full-blown compromise, what security teams should look for in their environments, and why this vulnerability highlights the ongoing dangers of insecure defaults and deserialization flaws.
#cybersecurity #Sitecore #CVE202553690 #ViewState #ASPdotNET #WeepSteel #malware #RCE #Microsoft #Google #threatactors #infosec #zeroday #supplychainsecurity #databreach
