The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring all Federal Civilian Executive Branch (FCEB) agencies to patch their Sitecore systems no later than September 25, 2025, after confirming that a critical flaw is being actively exploited in the wild.

Tracked as CVE-2025-53690 with a CVSS score of 9.0/10, the vulnerability impacts Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. The flaw stems from insecure deserialization of untrusted data, specifically the use of default ASP.NET machine keys, which allows attackers to achieve remote code execution (RCE) on affected systems.

Active Exploitation Detected

Google-owned Mandiant identified ongoing exploitation of the bug through a ViewState deserialization attack, noting that attackers leveraged a sample machine key that had been publicly disclosed in outdated Sitecore deployment guides from 2017 and earlier.

The exploitation process showed a high level of sophistication, with threat actors moving quickly from initial compromise to privilege escalation and persistence. Attackers deployed a payload dubbed WEEPSTEEL, a .NET assembly designed to harvest system, user, and network details before exfiltrating the data.

Once inside, the adversaries used a mix of open-source and custom tools to expand their foothold, including:

• EarthWorm for SOCKS tunneling
• DWAgent for persistence and Active Directory reconnaissance
• SharpHound to map Active Directory environments
• GoTokenTheft for token manipulation and process enumeration
• Remote Desktop Protocol (RDP) for lateral movement

Additionally, attackers created local administrator accounts (asp$ and sawadmin) to dump credential stores (SAM/SYSTEM hives) and later removed these accounts to adopt stealthier persistence methods.

Broader Exploitation Trends

This vulnerability is part of a wider trend in which leaked or static ASP.NET machine keys are abused. Microsoft previously reported limited exploitation in December 2024, linked to the deployment of the Godzilla post-exploitation framework. Similarly, in mid-2025, ConnectWise disclosed another vulnerability (CVE-2025-3935) tied to nation-state threat actors abusing machine keys for ViewState injection attacks.

More recently, the Initial Access Broker (IAB) known as Gold Melody has also been connected to campaigns leveraging leaked keys for unauthorized access, which is then resold to other threat groups.

Recommended Actions

Security experts stress the urgency of remediation. Organizations should:

• Rotate ASP.NET machine keys immediately.
• Audit and lock down Sitecore configurations.
• Harden exposure by ensuring Sitecore instances are not directly accessible from the public internet.
• Conduct thorough compromise assessments for signs of persistence or lateral movement.

“Any Sitecore deployment using default or sample keys is highly exposed,” warned Ryan Dewhurst, head of proactive threat intelligence at watchTowr. “This isn’t just a misconfiguration—it’s effectively an open door to Remote Code Execution.”

VulnCheck VP of research, Caitlin Condon, added:

“Threat actors do read documentation. If default or sample machine keys are reused from guides, it gives attackers a direct path into enterprise systems. Rotating machine keys and closing public exposure should be a top priority.”

The Bigger Picture

Sitecore has confirmed that new deployments now generate unique keys automatically, and affected customers are being notified. However, the full scope of exploitation remains unclear.

With CVE-2025-53690 already weaponized in active campaigns, this case underscores the importance of secure deployment practices, avoiding default configurations, and maintaining vigilance against exploitation of publicly documented weaknesses.

Source: https://thehackernews.com/2025/09/cisa-orders-immediate-patch-of-critical.html