Urgent Sitecore Patch Needed CISA Warns of Active Exploitation

Federal Civilian Executive Branch (FCEB) agencies! You've got until September 25, 2025, to update your Sitecore instances. Why? A security flaw is being actively exploited in the wild.

This vulnerability, known as CVE-2025-53690, is serious stuff, scoring a critical 9.0 out of 10.0 on the CVSS scale.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) explains: "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution."

Basically, hackers are using default machine keys to break in and run code remotely.

Mandiant, now part of Google, discovered this attack. They found that the attackers were using a sample machine key that had been floating around in Sitecore deployment guides since 2017. Scary, right? So far, they haven't pinned this activity on any specific hacker group.

"The attacker's deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation," researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng said. It sounds like these attackers knew exactly what they were doing.

The abuse of these public ASP.NET machine keys isn't new. Microsoft flagged it back in February 2025, noting some limited activity as far back as December 2024. In those earlier cases, the keys were used to deliver the Godzilla post-exploitation framework.

And in May 2025, ConnectWise revealed that a nation-state actor exploited a ScreenConnect flaw (CVE-2025-3935) to inject code, targeting a small number of their customers.

Even recently, in July, the Initial Access Broker (IAB) known as Gold Melody was linked to a campaign exploiting leaked ASP.NET keys to gain unauthorized access and sell it to other cybercriminals.

Mandiant's investigation shows that CVE-2025-53690 is used to initially breach Sitecore instances. Once inside, they deploy a mix of open-source and custom tools for reconnaissance, remote access, and snooping around in Active Directory.

The hackers use a .NET assembly called WEEPSTEEL (delivered via the sample machine key) to grab system, network, and user info, and then send it back to themselves. Some of WEEPSTEEL's code is based on an open-source Python tool called ExchangeCmdPy.py.

With this access, the attackers dig in deep. They escalate their privileges, maintain a persistent presence, explore the internal network, and ultimately steal data. Here are some of the tools they've been using:

• EarthWorm: For creating network tunnels using SOCKS.
• DWAgent: For persistent remote access and reconnaissance of Active Directory to find Domain Controllers.
• SharpHound: For Active Directory reconnaissance.
• GoTokenTheft: For listing user tokens, running commands as those users, and listing processes and their tokens.
• Remote Desktop Protocol (RDP): For moving laterally across the network.

The attackers also create local administrator accounts (asp$ and sawadmin) to try and dump SAM/SYSTEM hives, hoping to snag administrator credentials and move around the network using RDP.

"With administrator accounts compromised, the earlier created asp$ and sawadmin accounts were removed, signaling a shift to more stable and covert access methods," Mandiant explains.

So, what can you do? Rotate your ASP.NET machine keys, lock down your configurations, and scan your systems for any signs of trouble.

"The upshot of CVE-2025-53690 is that an enterprising threat actor somewhere has apparently been using a static ASP.NET machine key that was publicly disclosed in product docs to gain access to exposed Sitecore instances," Caitlin Condon, VP of security research at VulnCheck, told The Hacker News.

"The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure — and as we've seen plenty of times before, threat actors definitely read documentation. Defenders who even slightly suspect they might be affected should rotate their machine keys immediately and ensure, wherever possible, that their Sitecore installations are not exposed to the public internet."

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, points out that the problem stems from Sitecore customers copying and pasting example keys from official documentation instead of generating their own unique keys.

"Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to Remote Code Execution (RCE)," Dewhurst warns.

"Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. The blast radius remains unknown, but this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will."