CISA has issued an urgent warning for organizations using Sitecore. Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their Sitecore platforms before September 25, 2025, after a critical flaw was confirmed to be under active exploitation.
The flaw, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of 10, placing it in the “critical” category. Security experts say attackers are already abusing the vulnerability to gain unauthorized access and execute malicious code on vulnerable systems.
According to CISA, the flaw affects multiple Sitecore products, including:
Sitecore Experience Manager (XM)
Sitecore Experience Platform (XP)
Sitecore Experience Commerce (XC)
Sitecore Managed Cloud
The issue comes from deserialization of untrusted data linked to the use of default ASP.NET machine keys. In simple terms, if these default keys are exposed, attackers can manipulate Sitecore systems and take full control remotely.
Security firm Mandiant, owned by Google, identified the attacks. Researchers noticed that hackers were using a sample machine key that had been published in older Sitecore deployment guides from 2017 and earlier. This gave cybercriminals a direct path to exploit vulnerable servers.
Although Mandiant did not link the activity to a known threat group, the attack showed deep technical knowledge of Sitecore. Hackers moved quickly from the initial compromise to privilege escalation, proving the seriousness of the exploit.
This is not the first time exposed ASP.NET machine keys have been abused:
In February 2025, Microsoft documented how attackers used these keys to deliver the Godzilla post-exploitation framework.
In April 2025, Gladinet’s CentreStack platform was hit by a similar flaw (CVE-2025-30406) that allowed remote code execution.
In May 2025, ConnectWise reported exploitation of a zero-day flaw in ScreenConnect (CVE-2025-3935) involving ViewState injection attacks.
In July 2025, the cybercrime group Gold Melody was seen selling unauthorized access gained by exploiting leaked ASP.NET machine keys.
The Sitecore flaw is part of this growing trend where attackers exploit insecure configurations in enterprise platforms.
In the campaigns observed by Mandiant, hackers exploited CVE-2025-53690 to compromise internet-facing Sitecore instances. After initial access, they deployed a mix of open-source and custom tools to explore networks, steal data, and maintain persistence.
The attack typically unfolded as follows:
Initial Access – Hackers exploited the flaw using default machine keys.
Payload Delivery – A malicious .NET assembly called WEEPSTEEL was deployed. This malware collected system, user, and network details before exfiltrating the data.
Privilege Escalation – Attackers created new admin accounts like asp$ and sawadmin to dump credentials.
Persistence & Lateral Movement – Tools such as DWAgent, SharpHound, EarthWorm, GoTokenTheft, and RDP were used to move across networks and steal more data.
Cleanup – Once permanent access was established, hackers deleted temporary accounts to cover their tracks.
Security researchers have emphasized the severity of the vulnerability:
Caitlin Condon, VP of security research at VulnCheck, explained that attackers were able to use a static key published in product documentation. She warned that even slight suspicion of compromise should push organizations to rotate machine keys immediately and ensure systems are not exposed online.
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, added that the root of the issue lies in organizations copy-pasting sample keys instead of generating unique ones. “This flaw gave attackers a direct path to Remote Code Execution (RCE),” he said.
Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. However, the total number of exposed systems is still unclear.
CISA and security experts recommend the following immediate steps:
Patch Systems – Apply Sitecore’s latest security update before the September 25 deadline.
Rotate Machine Keys – Replace any static or default ASP.NET machine keys.
Restrict Internet Exposure – Ensure Sitecore installations are not accessible directly from the public internet.
Check for Compromise – Scan for suspicious accounts, lateral movement, and signs of malware such as WEEPSTEEL.
Strengthen Monitoring – Increase logging and threat detection capabilities to catch future exploitation attempts.
The Sitecore flaw is dangerous because it combines a simple misconfiguration (using default keys) with public documentation exposure. Attackers often review official vendor guides to identify weak points, and this case proves how damaging that can be.
Organizations using Sitecore for web content management, e-commerce, and digital experience platforms face a high risk if they delay patching. Given the active exploitation, attackers could already be inside vulnerable systems, stealing data or preparing ransomware attacks.
CISA’s emergency directive highlights the growing risks of insecure configurations in enterprise platforms. While software vendors are working to fix issues, the responsibility also falls on organizations to follow secure deployment practices and avoid reusing sample credentials or keys.
The critical Sitecore vulnerability CVE-2025-53690 serves as a wake-up call: patching delays and overlooked configurations can open the door to full system compromise. With attackers actively exploiting the flaw, immediate action is not optional—it is essential.
Interesting Article : CISA Warns of Actively Exploited TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377
Pingback: Plex Data Breach 2025: Users Told to Reset Passwords After Hacking Attack