CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation

CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation

Briefly

"The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. "This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.""

"Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team did not link the activity to a known threat actor or group. "The attacker's deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation," researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng said."

"The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech giant observing limited exploitation activity dating back to December 2024, in which unknown threat actors leveraged the key to deliver the Godzilla post-exploitation framework. Then in May 2025, ConnectWise disclosed an improper authentication flaw impacting ScreenConnect (CVE-2025-3935, CVSS score: 8.1) that it said had been exploited in the wild by a nation-state threat actor to conduct ViewState code injection attacks targeting a small set of customers."