A critical zero-day vulnerability in legacy Sitecore deployments, designated CVE-2025-53690, has been actively exploited by threat actors to achieve remote code execution and deploy sophisticated backdoors and reconnaissance tools1. Discovered and analyzed by Mandiant Threat Intelligence, this vulnerability stems from a severe misconfiguration where organizations used a publicly exposed, static ASP.NET machine key provided in Sitecore’s own legacy documentation2. The exploitation campaign, which involved deploying a custom reconnaissance malware dubbed WeepSteel, highlights a significant failure in secure configuration management and exemplifies a broader trend of attackers shifting focus to enterprise software.
Technical Breakdown of CVE-2025-53690
CVE-2025-53690 is a ViewState deserialization vulnerability in the ASP.NET framework that allows unauthenticated remote code execution. It has been assigned a critical CVSS score of 9.0. The root cause is the use of a known, static machine key for the `
The Broader Sitecore Vulnerability Landscape
This zero-day incident did not occur in isolation. Earlier in 2025, security firm watchTowr Labs disclosed a series of vulnerabilities in Sitecore, including CVE-2025-53693 (HTML cache poisoning), CVE-2025-53691 (RCE through insecure deserialization), and CVE-2025-53694 (Information Disclosure in ItemService API)5. Researchers demonstrated that these flaws could be chained together for a complete pre-authentication compromise. This history indicates a pattern of security issues within the platform, expanding the potential attack surface for threat actors beyond the recent zero-day.
Detailed Attack Chain and Malware Deployment
Mandiant’s report outlines a multi-stage attack demonstrating deep familiarity with the Sitecore platform2. After initial access was gained via the ViewState exploit on the `blocked.aspx` page, attackers deployed the WeepSteel malware. This tool was designed for reconnaissance, gathering extensive system, network, and user data. The collected information was then exfiltrated from the network, cleverly disguised within HTTP responses that mimicked legitimate ViewState data, a technique likely chosen to blend in with normal traffic.
Following reconnaissance, the attackers archived critical directories and files, including the `web.config`, using the legitimate 7-Zip tool for exfiltration. To establish persistence and enable lateral movement, they deployed a suite of additional tools. This included the open-source EARTHWORM utility for network tunneling, the DWAGENT remote access Trojan (RAT) installed as a Windows service, and SHARPHOUND for conducting Active Directory reconnaissance. The attackers also created new local administrator accounts, dumped credential databases from the SAM and SYSTEM hives, and used token impersonation and RDP to move laterally across the compromised network.
Mitigation and Response Guidance
Sitecore responded to the disclosure with advisory SC2025-005 (KB1003865)6. The primary and most urgent mitigation step is to immediately rotate any static `
Security experts emphasize that key rotation is only the first step. Caitlin Condon of VulnCheck noted that “adversaries definitely read product docs,” highlighting the shared responsibility between vendors and users7. Given that the attackers deployed persistent malware, organizations with affected deployments must conduct thorough threat hunting for evidence of compromise, focusing on the tools and techniques outlined in the attack chain. This includes monitoring for the presence of WeepSteel, unexpected 7-Zip execution, new local admin accounts, and network traffic associated with tools like EARTHWORM and DWAGENT.
Context Within Enterprise Targeting Trends
This attack aligns with a larger strategic shift by threat actors. A 2024 report from the Google Threat Intelligence Group (GTIG) found that 44% of that year’s zero-days targeted enterprise technologies, a rise from 37% in 20238. Furthermore, over 50% of attributed zero-days were linked to cyber espionage actors. The sophisticated, multi-stage nature of the Sitecore attack, with its focus on reconnaissance and lateral movement, is consistent with espionage objectives. Enterprise content management systems like Sitecore are high-value targets because they often reside on the network perimeter and hold sensitive information.
The exploitation of CVE-2025-53690 serves as a critical case study in the importance of secure configuration management. The use of default or sample credentials and keys remains a pervasive and high-impact security failure. For defenders, this incident underscores the necessity of rigorous configuration audits and the assumption that any sample code or configuration provided in vendor documentation is known to adversaries. For the wider security community, it reinforces the need for robust monitoring of authentication and authorization mechanisms, especially on internet-facing applications, and the continuous hunting for threats even after a vulnerability has been patched or mitigated.
