Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Sitecore ViewState deserialization RCE via exposed sample machineKey

IdentifiersCVE-2025-53690CWE-502· Deserialization of Untrusted Data

CVE-2025-53690 is a deserialization of untrusted data vulnerability affecting Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) through version 9.0. Multiple supporting reports describe the flaw as an ASP.NET ViewState deserialization issue in certain Sitecore deployments that reused a publicly exposed sample/default machineKey from Sitecore deployment guidance published in or before 2017. When a vulnerable deployment uses that known machineKey, an attacker can forge a malicious ViewState payload that the server accepts as valid and deserializes, resulting in code injection / remote code execution. Reporting also indicates exploitation against public-facing Sitecore endpoints such as /sitecore/blocked.aspx using crafted HTTP POST requests containing malicious ViewState data. Successful execution has been reported to occur pre-authentication on internet-facing deployments, typically in the IIS worker context (reported as NETWORK SERVICE in some analyses).

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables unauthenticated remote code execution on vulnerable Sitecore servers. Observed real-world intrusions used the flaw for initial access, deployment of malware such as WeepSteel, creation of unauthorized administrative accounts, credential theft, Active Directory reconnaissance, tunneling with tools such as Earthworm, persistent remote access via DWAgent, exfiltration of configuration files and registry hives, and broader lateral movement. Because the vulnerable application is typically internet-facing and tied to enterprise CMS/DXP infrastructure, compromise can lead to full site/server takeover and downstream enterprise compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrading is not possible, mitigate by replacing legacy/sample machineKey values with unique strong keys, restricting exposure of Sitecore administrative or unnecessary public endpoints, and closely monitoring for exploitation indicators such as POST requests to /sitecore/blocked.aspx with anomalous ViewState data, unexpected accounts (for example asp$ or sawadmin as reported), dropped DLLs such as Information.dll, and execution of tools including dwagent.exe, ew.exe, SharpHound, and unexpected 7z.exe activity. Additional defensive measures include limiting internet exposure, enforcing web application monitoring/logging around ViewState-bearing requests, and hunting for post-exploitation artifacts including web.config access, SAM/SYSTEM hive export activity, and suspicious service creation.

Remediation

Patch, then assume compromise.

Upgrade affected Sitecore deployments beyond version 9.0 and apply Sitecore’s vendor fixes and hardening guidance referenced in reporting, including KB1003865. Replace any sample, default, reused, or otherwise exposed ASP.NET <machineKey> values in web.config with unique, cryptographically strong per-deployment keys, and ensure keys are rotated where historical exposure is possible. Review all internet-facing Sitecore instances for compromise, especially those that may have inherited legacy configuration from older deployment guides. Apply vendor patches, regenerate secrets/keys, remove unauthorized accounts and persistence mechanisms, and perform incident response if exposure is suspected due to confirmed in-the-wild exploitation.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SitecoreExperience Commerceapplication
SitecoreExperience Managerapplication
SitecoreExperience Platformapplication
SitecoreManaged Cloudapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

116 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

116 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A critical Sitecore vulnerability that CISA reports is under active exploitation in the wild.

Read more
secpod blogNews
Jan 19, 2026
Unmasking UAT-8837: The Zero-Day Exploit That Could Ruin Your Year - SecPod Blog

A critical Sitecore ASP.NET ViewState insecure deserialization issue caused by default/sample ASP.NET machineKey values, enabling attackers to forge ViewState payloads, bypass authentication, and achieve remote code execution (RCE) (noted as running under IIS NETWORK SERVICE).

Read more
security affairsNews
Jan 17, 2026
China-linked APT UAT-8837 targets North American critical infrastructure

A zero-day ViewState deserialization vulnerability affecting SiteCore products, reportedly exploited in recent activity and associated with UAT-8837 infrastructure and TTPs.

Read more
scworldNews
Jan 16, 2026
North American critical infrastructure subjected to Chinese attacks | SC Media

A critical zero-day vulnerability in Sitecore reportedly used for initial access by the Chinese state-sponsored operation UAT-8837 against North American critical infrastructure entities.

Read more
+22 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware8

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity90

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-53690
NVD
nvd.nist.gov/vuln/detail/CVE-2025-53690
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Vendor Advisory
support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
Third Party Advisory
cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690