Critical ViewState Deserialization Zero-Day in Sitecore (CVE-2025-53690)

Overview

The SonicWall Capture Labs threat research team identified CVE-2025-53690 and assessed its impact. Sitecore is a widely used digital experience platform (DXP) that provides content management, personalization and e-commerce capabilities for enterprises. The flaw enables preauthentication remote code execution (RCE) against internet-facing Sitecore deployments that reused a sample ASP.NET machineKey from older documentation (or any shared/weak key). Affected families include XM, XP, XC and Managed Cloud when deployed with the exposed key pattern. The vulnerability has a CVSS v3.1 score of 9.0 (critical) and was added to CISA’s KEV on September 4, 2025, when Mandiant documented active exploitation in the wild.

Technical Overview

ASP.NET’s ViewState uses the application’s machineKey to sign and validate state data. In legacy Sitecore guides (pre-2017), an example key was published and sometimes copied into production, with older deployments such as Sitecore XP 9.0 and earlier often reusing static or predictable keys.

To understand how CVE-2025-53690 exploits this mechanism, it’s essential to first understand how ViewState protection is supposed to work. ASP.NET applies a message authentication code (MAC) to ViewState data using a secret key stored on the server, which validates the integrity of incoming ViewState during postback operations (see Figure 1). During normal operation, the server takes incoming ViewState data, combines it with the secret machineKey, and computes a hash value. This computed hash is then compared against the hash value included with the ViewState payload. If the values match, the ViewState is considered legitimate and processing continues. If they don’t match, the server rejects the request as potentially tampered data.

The vulnerability arises because of the usage of a publicly known machineKey, which protects the integrity and confidentiality of ViewState. Once a key is hardcoded, publicly known or otherwise compromised, attackers can craft malicious __VIEWSTATE payloads that bypass this validation entirely. The effectiveness of this protection mechanism depends entirely on keeping the machineKey secret, as possession of this key allows attackers to generate valid hash signatures for malicious payloads.

In real-world incidents, threat actors began their operations by probing various Sitecore endpoints before focusing on /sitecore/blocked.aspx, which is a legitimate component that displays a license-related error message but exposes a hidden, unauthenticated ViewState form. This, combined with the server’s willingness to deserialize untrusted ViewState messages when the machineKey is compromised, allowed attackers to inject and execute arbitrary objects, leading to remote code execution under the IIS worker (w3wp) context. Other vulnerable endpoints, such as /sitecore/shell/ClientBin/Reporting/Report.ashx, have also been observed in exploitation.

Triggering the Vulnerability

To trigger the vulnerability, an attacker crafts a POST request to an exposed Sitecore endpoint containing a malicious ViewState payload signed using one of the known or leaked machine keys. If the server is configured with these known keys and does not enforce additional ViewState protections, the payload is accepted and deserialized, leading to remote code execution.

Required conditions to trigger:

• Sitecore was deployed with a sample or shared machineKey (XP 9.0 / AD 1.4 and earlier are frequently cited in incident reports, but any product family can be at risk if the key was reused).
• Endpoint accepting ViewState is reachable from the internet.

Exploitation

CVE-2025-53690 is being actively exploited. Once attackers gain execution, they deploy a suite of postexploitation tools to expand access and move laterally:

• WEEPSTEEL for reconnaissance
• EARTHWORM for tunneling and covert communications
• DWAgent for persistent remote access
• SharpHound for Active Directory reconnaissance
• GoTokenTheft for harvesting authentication tokens

Responders observed adversaries creating local administrator accounts, dumping the SAM/SYSTEM hives to extract credentials and enabling RDP for lateral movement. These tools have allowed attackers to pivot into domain environments and stage further operations. While no public proof of concept has been released, indicators of compromise and behavioral patterns are being widely shared in the security community to support active defense. Mandiant has released an attack flow (Figure 2) showing how they have observed this vulnerability being leveraged in the wild.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 21438 — Sitecore XP Insecure Deserialization 2

Remediation Recommendations

• Immediately rotate any ASP.NET machine keys that were generated from Sitecore documentation or shared sources.
• Encrypt the <machineKey> section of your web.config file and restrict its access permissions.
• Apply any configuration guidance from Sitecore advisory SC2025-005.
• Audit logs for unusual activity such as unauthorized local admin account creation, unexpected RDP usage, or outbound tunnels.
• Monitor for IOCs related to WEEPSTEEL, EARTHWORM, and DWAgent tools.
• Segment Sitecore servers from critical infrastructure and review any lateral movement paths.

Relevant Links

• https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
• https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865https://nvd.nist.gov/vuln/detail/CVE-2025-53690
• https://www.helpnetsecurity.com/2025/09/04/sitecore-zero-day-vulnerability-cve-2025-53690-exploited/
• https://www.ncsc.gov.ie/pdfs/2509080162_Zero-Day%20Vulnerability%20in%20Sitecore%20Products.pdf
• https://learn.microsoft.com/en-us/archive/msdn-magazine/2010/july/security-briefs-view-state-security