Cybersecurity researchers at Google's Mandiant have uncovered an active exploitation campaign targeting Sitecore deployments using a sample encryption key that was publicly exposed in official deployment guides from 2017 and earlier.
The vulnerability, tracked as CVE-2025-53690, affects organizations running Sitecore XP 9.0 and Active Directory 1.4 or earlier versions with the compromised sample key. Attackers leveraged this exposed ASP.NET machine key to execute ViewState deserialization attacks, achieving remote code execution on vulnerable servers.
"The attacker's deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation," Mandiant researchers noted in their technical analysis.
How the Attack Works
ViewState is an ASP.NET feature that maintains webpage state through hidden HTML fields. When machine keys (which protect ViewState integrity) are compromised, applications can't distinguish between legitimate and malicious ViewState payloads sent to servers.
The attackers specifically targeted Sitecore's /sitecore/blocked.aspx page, exploiting its use of hidden ViewState forms while remaining accessible without authentication. They deployed WEEPSTEEL , a custom reconnaissance malware that disguises stolen data as legitimate ViewState responses, plus open-source tools like EARTHWORM tunneler and SHARPHOUND for Active Directory reconnaissance.
Widespread Impact Potential
This attack highlights a critical supply chain security issue affecting enterprise content management systems. Organizations using older Sitecore deployment guides may unknowingly operate with the exposed sample key, leaving them vulnerable to sophisticated attacks that can escalate to full domain compromise.
The threat actors demonstrated advanced techniques, including privilege escalation through local administrator account creation, credential dumping from registry hives, and lateral movement via compromised domain accounts.
Immediate Action Required
Sitecore has confirmed that updated deployments automatically generate unique machine keys and has notified affected customers. Organizations should immediately verify their machine key configurations, implement automated key rotation, and enable ViewState Message Authentication Code (MAC).
"This incident underscores the importance of never using sample credentials in production environments," security experts emphasize, noting that similar supply chain vulnerabilities could affect other enterprise platforms.