What is CVE-2025-53690 and who discovered it?

CVE-2025-53690 is a critical zero-day vulnerability in Sitecore content management systems with a CVSS score of 9.0. It was discovered by cybersecurity researchers at Mandiant during an active exploitation campaign. The vulnerability enables attackers to achieve remote code execution on vulnerable Sitecore deployments through ViewState deserialization attacks.

What causes the CVE-2025-53690 vulnerability in Sitecore?

The vulnerability is caused by a configuration issue where administrators inadvertently used sample ASP.NET machine keys from legacy deployment documentation in production environments. When these machine keys that protect ViewState integrity and confidentiality are compromised, the application loses its ability to differentiate between legitimate and malicious ViewState payloads.

How do attackers exploit the Sitecore ViewState vulnerability?

Attackers exploit the inherent trust mechanism of ASP.NET's ViewState feature, which preserves page and control values between server round trips. Specifically, they target the `/sitecore/blocked.aspx` endpoint, a legitimate Sitecore component that contains an unauthenticated ViewState form field, to execute malicious code.

Which Sitecore versions are affected by CVE-2025-53690?

The vulnerability affects customers who deployed Sitecore XP 9.0 and Active Directory 1.4 and earlier versions that use the sample machine keys exposed in publicly available deployment guides.

What should organizations do to remediate CVE-2025-53690?

Organizations should: 1) Replace all static machine key values in web.config files with newly generated, unique keys, ensuring the machineKey element is properly encrypted; 2) Restrict access to web.config files to application administrators only and implement regular machine key rotation; 3) Examine their environments for suspicious behavior using indicators of compromise provided by Mandiant and Sitecore; 4) Enable ViewState Message Authentication Code (MAC) validation and encryption in their ASP.NET configurations.

Where can organizations find more information about this Sitecore vulnerability?

Organizations can find detailed remediation guidance in Sitecore's security bulletin SC2025-005, which provides comprehensive instructions for addressing the vulnerability and securing their deployments.

Advisory

Critical vulnerability in Sitecore CMS is actively exploited to deploy malware

Q: What has Sitecore done to address this vulnerability?

Mandiant worked directly with Sitecore to patch this issue. Sitecore has published remediation guidance in security bulletin SC2025-005 and confirmed that updated deployments automatically generate unique machine keys.

Q: What is ASP.NET ViewState and why is it vulnerable?

ASP.NET ViewState is a feature that preserves page and control values between server round trips. It becomes vulnerable when the machine keys that protect ViewState integrity and confidentiality are compromised, allowing attackers to send malicious ViewState payloads that the application cannot distinguish from legitimate ones.

published: Sept. 4, 2025

Take action: If you're running Sitecore XP 9.0 or Active Directory 1.4 (or earlier), THIS IS URGENT. Replace any sample machine keys in your web.config files with newly generated unique keys - attackers are actively exploiting this to gain remote code execution. Check Sitecore security bulletin SC2025-005 and the Mandiant advisory for the exact steps and scan your environment for signs of compromise using the indicators they've provided.

Learn More

Cybersecurity researchers at Mandiant have discovered an active exploitation campaign targeting a critical zero-day vulnerability in Sitecore content management systems.

The vulnerability is tracked as CVE-2025-53690 (CVSS score 9.0), enables attackers to achieve remote code execution on vulnerable Sitecore deployments through ViewState deserialization attacks. The vulnerability is caused by a configuration issue, where administrators inadvertently used sample ASP.NET machine keys from legacy deployment documentation in production environments.

The attack exploits the inherent trust mechanism of ASP.NET's ViewState feature, which preserves page and control values between server round trips. When machine keys that protect ViewState integrity and confidentiality are compromised, the application effectively loses its ability to differentiate between legitimate and malicious ViewState payloads sent to the server.

Threat used leveraged this weakness by targeting the /sitecore/blocked.aspx endpoint, a legitimate Sitecore component that contains an unauthenticated ViewState form field.

Mandiant worked directly with Sitecore to patch this issue, which affects customers who deployed Sitecore XP 9.0 and Active Directory 1.4 and earlier versions - which use the sample key exposed in publicly available deployment guides.

Sitecore has published remediation guidance in security bulletin SC2025-005 and confirmed that updated deployments automatically generate unique machine keys. Organizations using vulnerable Sitecore deployments should:

Replace all static machine key values in web.config files with newly generated, unique keys, ensuring the <machineKey> element is properly encrypted.
Restrict access to web.config files to application administrators only and implement regular machine key rotation as an ongoing security practice.
Examine their environments for suspicious or anomalous behavior using the indicators of compromise provided by Mandiant and Sitecore.
Enable ViewState Message Authentication Code (MAC) validation and encryption in their ASP.NET configurations.

Critical vulnerability in Sitecore CMS is actively exploited to deploy malware

Read More
LayerSlider WordPress Plugin patches a critical flaw
CISA reports actively exploited flaw in Craft CMS
Critical flaw reported in WPLMS Learning Management System …
Critical XWiki vulnerability exploited in crypto mining malware …
LiteSpeed Cache plugin has XSS vulnerability, 4M WordPress …