ViewState Deserialization Zero... Note

ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)

Mandiant discovered an active Sitecore attack exploiting a ViewState deserialization vulnerability. This vulnerability stemmed from a sample machine key exposed in older Sitecore deployment guides. Attackers used this exposed key to achieve remote code execution on Sitecore instances. Sitecore has identified this as CVE-2025-53690 and has notified affected customers. The attack lifecycle began with external reconnaissance and probing of Sitecore's web server. The attacker specifically targeted the /sitecore/blocked.aspx page due to its ViewState form. They leveraged the compromised machine key to craft malicious ViewState payloads. Following initial compromise, the attacker obtained NETWORK SERVICE privileges. They then exfiltrated critical configuration files, including web.config, to aid further malicious activities. Host and network reconnaissance was performed to gather system information. The attacker staged open-source tools like EARTHWORM and DWAGENT in public directories. Privilege escalation was achieved by creating local administrator accounts and attempting token theft. The threat actor dumped SYSTEM and SAM registry hives to extract password hashes.
CdXz5zHNQW_vve2mJj2d3.png