- Sitecore patched a critical zero-day deserialization flaw affecting legacy deployments
- Threat actors exploited the vulnerability to deploy malware like WeepSteel
- Mandiant intervened mid-attack, preventing full damage
Popular CMS platform Sitecore has patched a critical zero-day vulnerability found to be being abused in cyberattacks.
Security researchers from Mandiant observed threat actors exploiting a zero-day flaw to deploy malware, as well as other legitimate software.]
The flaw stemmed from the use of sample ASP.NET machine keys published in old deployment guides (pre-2017), and is now tracked as CVE-2025-53690. It was given a severity score of 9.0/10 (critical).
WeepSteel and other woes
The zero-day is described as a critical deserialization vulnerability affecting Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), Experience Commerce (XC), and Managed Cloud versions up to 9.0, when deployed using the sample ASP.NET machine key included in pre-2017 documentation.
XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server are apparently not impacted.
Mandiant stopped the attack mid-execution, which prevented the researchers from observing the full attack lifecycle. Still, they managed to find WeepSteel, a piece of malware designed for internal reconnaissance. This malware gathers system information, as well as process, disk, and network data. It exfiltrates it by hiding it as standard ViewState responses.
Other tools that the attackers were using included Earthworm, which is a network tunneling and reverse SOCKS proxy, Dwagent, which is a remote access tool, and the popular archiver 7-Zip.
While Mandiant led the investigation and disrupted the attack, it did not assign a formal nation-state or criminal group attribution. That said, the tactics, tooling, and operational maturity suggest a targeted campaign by a well-resourced actor, possibly with prior experience in exploiting ASP.NET environments.
Sitecore is a digital experience platform (DXP) which counts major brands, including Nestlé, Subway, Suzuki, and Procter & Gamble, as customers to deliver personalized and scalable digital experiences.
Via BleepingComputer
You might also like
- Public database exposed 184 million credentials including Microsoft, Facebook, Snapchat, and government account logins
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
