05.09.2025
2 min
505
Mandiant experts have discovered that attackers were actively exploiting zero-day vulnerability CVE-2025-53690 in old Sitecore deployments, using it to deploy backdoors and collect data via the WeepSteel malware.
The problem arose due to the reuse of the ASP.NET machine key, which had been in production systems since 2017 from official Sitecore guides. This allowed attackers to generate fake _VIEWSTATE packages and execute arbitrary code on the server.
The target was /sitecore/blocked.aspx with an open ViewState field.
After the initial penetration, WeepSteel was loaded, which disguised the exfiltration as legitimate responses.
The basic commands were executed: whoami, tasklist, ipconfig, netstat.
The attackers then used Earthworm for tunneling, Dwagent as a RAT, and 7–Zip to archive the stolen data.
Admin accounts (asp$, sawadmin) were created, SAM and SYSTEM hive were dumped, and RDP access was enabled.
The CVE-2025-53690 vulnerability affected Sitecore Experience Manager, XP, XC, and Managed Cloud versions up to 9.0.
XM Cloud, Content Hub, CDP, Personalize, and other new services remained safe.
The problem is not in ASP.NET itself, but in incorrect configuration.
Sitecore has already called for replacing all static <machineKey> in web.config with unique keys, encrypting them, and rotating them regularly.
The incident with Sitecore clearly shows that even examples from the documentation can become an attack vector if they are thoughtlessly copied into production. Businesses need to:
verify configurations,
update security keys,
minimize risks of using template values.
