Researchers discovered a critical zero-day vulnerability in Sitecore stemming from a misconfiguration involving public ASP.NET machine keys that customers implemented based on Sitecore’s deployment guides dating back to 2017. The vulnerability, tracked as CVE-2025-53690, allowed attackers to exploit exposed keys to execute remote code via ViewState deserialization attacks. This issue primarily affects users of Sitecore Experience Platform 9.0 and earlier, as well as other Sitecore products deployed in multi-instance modes with static machine keys.
The root cause lies in customers copying sample machine keys from official documentation instead of generating unique, random keys, which left deployments vulnerable to attacks. Mandiant Threat Defense intervened to disrupt the attack but noted that many Sitecore customers still use these commonly known keys. The attacker demonstrated advanced knowledge of Sitecore’s products, using the vulnerability to deploy malware, escalate privileges, move laterally within networks, and steal sensitive data. The motivations behind the attack remain unknown.
Sitecore and security researchers recommend customers rotate their machine keys immediately if they have used the sample keys and conduct thorough hunts for signs of ViewState deserialization attacks. However, rotating keys will not protect systems already compromised. The incident underscores the risk of insecure configurations and the importance of avoiding default keys in production. It also highlights how attackers exploit publicly available documentation to find vulnerabilities. Organizations using Sitecore should review their configurations and enhance security awareness to prevent similar exploitation.
👉 Pročitaj original: CyberScoop
