Attackers snooping around Sitecore, dropping malware via public sample keys

September 4, 2025 TH Author

Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines.

All versions of Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud remain “potentially impacted” by CVE-2025-53690, a ViewState deserialization vulnerability, if they are deployed in a multi-instance mode with customer-managed static machine keys, the business software provider warned in a Wednesday security bulletin.

The bug is due to a configuration issue – not a software hole – and affects customers using the sample key provided with deployment instructions for Sitecore XP 9.0 or earlier and Sitecore Active Directory 1.4 and earlier versions. Updated deployments automatically generate a random machine key.

If you’re stuck with one of the sample keys from Sitecore’s old docs instead of generating your own, treat your install as vulnerable and rotate those keys now. “Successful exploitation of the related vulnerability might lead to remote code execution and non-authorized access to information,” the vendor noted.

Plus, it appears that criminals seized upon these publicly documented keys to remotely execute code and snoop around exposed instances before Sitecore issued its guidance.

On Wednesday, in conjunction with Sitecore’s bulletin, Mandiant published its own account of an attack disrupted midway, during which the attacker used the exposed ASP.NET machine key to perform RCE.

Then on Thursday, the US Cybersecurity and Infrastructure Security Agency added CVE-2025-53690 to its Known Exploited Vulnerabilities catalog.

Mandiant said it disrupted the attack early, which prevented the incident responders from observing the full lifecycle and determining the attackers’ motivations.

Still, “the attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation,” the threat intelligence team noted.

After exploiting CVE-2025-53690 on the vulnerable, internet-facing instance, the attacker deployed a ViewState payload that contained WEEPSTEEL malware, Mandiant’s Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng wrote.

ViewState is an ASP.NET feature to preserve webpage and control values between postbacks, and a ViewState deserialization attack occurs when an attacker tricks the server into processing a malicious ViewState payload as legitimate data.

“When machine keys (which protect ViewState integrity and confidentiality) are compromised, the application effectively loses its ability to differentiate between legitimate and malicious ViewState payloads sent to the server,” the Mandiant team explained.

After abusing the vulnerability to remotely deploy WEEPSTEEL, a malware designed to collect system, network, and user information, the attackers used their access to archive the root directory of the web application, we’re told.

This indicates “an intent to obtain sensitive files such as web.config,” and “was followed by host and network reconnaissance,” the researchers said.

The miscreants also elevated privileges after breaking in, escalating their access to system and admin level, and then attempted to compromise cached administrator credentials, which also enabled lateral movement via remote desktop protocol.

Neither Mandiant nor Sitecore immediately responded to The Register‘s questions about the scope of these attacks, and who is believed to be behind them. We will update this story if we hear back from either company. ®