ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)

Sept. 4, 2025, 9:45 p.m.

Description

A critical ViewState deserialization vulnerability (CVE-2025-53690) was discovered in Sitecore products, affecting deployments using an exposed sample machine key. The attacker exploited this to achieve remote code execution, progressing from initial compromise to privilege escalation. Key events included deploying WEEPSTEEL malware for reconnaissance, archiving sensitive files, staging tools like EARTHWORM and DWAGENT, creating local admin accounts, dumping credentials, and performing Active Directory reconnaissance with SHARPHOUND. The attack demonstrated sophisticated knowledge of the target system and leveraged various techniques for persistence and lateral movement. Sitecore has addressed the issue and notified affected customers.

External References

https://otx.alienvault.com/pulse/68b9d2694432c73564226cd5
https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
Tags
viewstate
lateral movement
reconnaissance
privilege escalation
earthworm
remote code execution
sharphound
deserialization
2025-09-04
CVE-2025-53690
sitecore
dwagent
weepsteel

Date

  • Created: Sept. 4, 2025, 5:54 p.m.
  • Published: Sept. 4, 2025, 5:54 p.m.
  • Modified: Sept. 4, 2025, 9:45 p.m.

Attack Patterns