The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical directive, ordering federal agencies to immediately patch a severe vulnerability in Sitecore's platform. The flaw, identified as CVE-2025-53690 with a CVSS score of 9.0, is actively being exploited in the wild, allowing attackers to achieve remote code execution.

Key Takeaways

• A critical deserialization vulnerability (CVE-2025-53690) in Sitecore's Experience Manager, Platform, Commerce, and Managed Cloud is being actively exploited.

• The vulnerability allows remote code execution by exploiting exposed ASP.NET machine keys.

• CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch their Sitecore instances by September 25, 2025.

• The exploitation leverages default machine keys that were publicly disclosed in older Sitecore deployment guides.

The Vulnerability Explained

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud are affected by a deserialization of untrusted data vulnerability. This flaw stems from the use of default machine keys, which, when exposed, can be leveraged by attackers to gain remote code execution capabilities. Google-owned Mandiant discovered the active attack, noting that threat actors utilized a sample machine key previously exposed in Sitecore deployment guides from 2017 and earlier.

Exploitation and Attack Chain

The abuse of publicly disclosed ASP.NET machine keys has been observed in various incidents. In this specific attack chain, CVE-2025-53690 is used for initial compromise of internet-facing Sitecore instances. Attackers then deploy a mix of open-source and custom tools for reconnaissance, remote access, and Active Directory mapping. The payload, a .NET assembly named WEEPSTEEL, gathers system, network, and user information before exfiltrating it. The attackers have been observed escalating privileges, establishing persistence, and moving laterally within networks, ultimately leading to data theft.

Tools utilized in these attacks include:

• EarthWorm for network tunneling.

• DWAgent for persistent remote access and Active Directory reconnaissance.

• SharpHound for Active Directory reconnaissance.

• GoTokenTheft for managing user tokens and process information.

• Remote Desktop Protocol (RDP) for lateral movement.

Attackers have also created local administrator accounts to dump credentials and facilitate further lateral movement.

Mitigation and Recommendations

To counter this threat, organizations are strongly advised to rotate their ASP.NET machine keys immediately and secure their configurations. Scanning environments for signs of compromise is also crucial. Experts emphasize that the vulnerability arises from both insecure configurations and the public exposure of these keys, highlighting the importance of generating unique, random keys rather than using default ones found in documentation. Sitecore has confirmed that new deployments generate keys automatically and has contacted affected customers. The full extent of the impact remains under investigation.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation, The Hacker News.