Menace actors have been exploiting a zero-day vulnerability in legacy Sitecore deployments to deploy WeepSteel reconnaissance malware.
The flaw, tracked below CVE-2025-53690, is a ViewState deserialization vulnerability brought on by the inclusion of a pattern ASP.NET machine key in pre-2017 Sitecore guides.
Some prospects reused this key in manufacturing, permitting attackers with information of the important thing to craft legitimate, however malicious ‘_VIEWSTATE’ payloads that tricked the server into deserializing and executing them, resulting in distant code execution (RCE).
The flaw is not a bug in ASP.NET itself, however a misconfiguration vulnerability created by reusing publicly documented keys that have been by no means meant for manufacturing.
Exploitation exercise
Mandiant researchers, who found the malicious exercise within the wild, report that menace actors have been leveraging the flaw in multi-stage assaults.
The attackers goal the ‘/sitecore/blocked. aspx’ endpoint, which incorporates an unauthenticated ViewState subject, and obtain RCE below the IIS NETWORK SERVICE account by leveraging CVE-2025-53690.
The malicious payload they drop is WeepSteel, a reconnaissance backdoor that gathers system, course of, disk, and community data, disguising its exfiltration as normal ViewState responses.
Supply: Mandiant
Mandiant noticed the execution of reconnaissance instructions on compromised environments, together with whoami, hostname, tasklist, ipconfig /all, and netstat -ano.
Within the subsequent stage of the assault, the hackers deployed Earthworm (a community tunneling and reverse SOCKS proxy), Dwagent (a distant entry device), and 7-Zip, which is used to create archives of the stolen knowledge.
Subsequently, they escalated their privileges by creating native administrator accounts (‘asp$,’ ‘sawadmin’), cached (SAM and SYSTEM hives) credentials dumping, and tried token impersonating by way of GoTokenTheft.
Persistence was secured by disabling password expiration for these accounts, giving them RDP entry, and registering Dwagent as a SYSTEM service.
Supply: Mandiant
Mitigating CVE-2025-53690
CVE-2025-53690 impacts Sitecore Expertise Supervisor (XM), Expertise Platform (XP), Expertise Commerce (XC), and Managed Cloud, as much as model 9.0, when deployed utilizing the pattern ASP.NET machine key included in pre-2017 documentation.
XM Cloud, Content material Hub, CDP, Personalize, OrderCloud, Storefront, Ship, Uncover, Search, and Commerce Server will not be impacted.
Sitecore printed a safety bulletin in coordination with Mandiant’s report, warning that multi-instance deployments with static machine keys are additionally in danger.
The beneficial actions for doubtlessly impacted directors are to instantly change all static <machineKey> values in internet.config with new, distinctive keys, and make sure the <machineKey> ingredient inside internet.config is encrypted.
Usually, it is suggested to undertake common static machine key rotation as an ongoing safety measure.
Extra data on how one can shield ASP.NET machine keys from unauthorized entry may be discovered right here.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
