Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The company behind CMS products used by companies such as L’Oreal, Microsoft, Toyota, and more has disclosed a critical vulnerability that hackers are already attempting to exploit.
Australian software company Sitecore has warned of a critical vulnerability in several of its products that could lead to remote code execution and the exfiltration of sensitive data.
The vulnerability – tracked as CVE-2025-53690 – potentially impacts four of Sitecore’s products: Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud.
The issue impacts customers who followed the deployment instructions that came with XP 9.0 or earlier and Active Directory 1.4 or earlier. In some cases, customers have been found to have used the sample machine key included in those instructions, which date back to 2017.
“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones – a move we don’t recommend,” Ryan Dewhurst, watchTowr’s head of proactive threat intelligence, told Cyber Daily.
“Any deployment running with these known keys was left exposed to ViewState deserialisation attacks, a straight path right to remote code execution.”
Sitecore has recommended its customers rotate machine keys immediately, but that may not be enough, according to Caitlin Condon, VP of security research at VulnCheck.
“Unfortunately, rotating keys and locking down configurations isn’t enough on its own if threat actors were able to gain access to an organisation’s network,” Condon said.
“Security and threat hunting teams will need to examine environments for signs of compromise, particularly since Mandiant’s investigation found the (unattributed) threat actor had deployed malware and additional tooling geared toward internal reconnaissance and persistence across one or more compromised environments.”
What Condon is referring to is a detailed blog post from Mandiant outlining malicious activity it has already detected and prevented.
“In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialisation attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier,” Mandiant said on 3 September.
“An attacker leveraged the exposed ASP.NET machine keys to perform remote code execution.”
Mandiant said the threat actor seemed to have a deep understanding of Sitecore’s products, moving fast from initial compromise to privilege escalation. The attacker was able to establish a backdoor, maintain persistence, and deploy malicious tooling before beginning to perform network reconnaissance. Mandiant was able to stop the attack, which means it was unable to observe the life cycle of the attack.
Thankfully, Sitecore has said that new deployments will automatically generate keys, but more malicious activity may remain undetected, for now.
“Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted,” Dewhurst said.
“The blast radius remains unknown, but this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
