Threat actors are actively exploiting a newly identified zero-day vulnerability, CVE-2025-53690, in older Sitecore deployments to deploy the WeepSteel reconnaissance backdoor. The flaw stems from Sitecore’s pre-2017 documentation, which included a sample ASP.NET machine key. Some customers mistakenly reused this sample key in production environments, enabling attackers who possess the key to craft malicious ViewState payloads that the server recognizes as valid. This allows remote code execution (RCE) via deserialization.
The exploitation centers on the /sitecore/blocked.aspx endpoint, which contains an unauthenticated ViewState field. When targeted, attackers achieve RCE under the IIS NETWORK SERVICE account, establishing initial access. The first-stage payload, WeepSteel, collects host reconnaissance data including system information, running processes, disk and network details, and disguises its exfiltration traffic as normal ViewState responses.
The attack lifecycle. Source: cloud.google.com.
From there, attackers escalate operations. Mandiant researchers observed the use of common reconnaissance commands (whoami, hostname, tasklist, ipconfig /all, netstat -ano) followed by deployment of Earthworm (network tunneling and reverse SOCKS proxy), Dwagent (remote access tool), and 7-Zip (for archiving stolen data). Threat actors then created local administrator accounts such as asp$ and sawadmin, dumped credential caches (SAM and SYSTEM hives), and attempted token impersonation using GoTokenTheft.
To maintain persistence, the attackers disabled password expiration on their newly created accounts, enabled RDP access, and registered Dwagent as a SYSTEM service. This layered approach gave them full remote control while making cleanup and remediation more complex.
The flaw impacts Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud up to version 9.0, but only when deployed with the vulnerable sample machine key. Other Sitecore products, including XM Cloud, Content Hub, CDP, Personalize, and OrderCloud, are not affected.
To mitigate the risk, Sitecore has issued a security bulletin advising administrators to immediately replace all static <machineKey> values in web.config with unique, randomly generated keys. Encrypting the <machineKey> element and adopting regular rotation of static keys are recommended as long-term safeguards.
CVE-2025-53690 highlights how legacy misconfigurations can resurface as critical vulnerabilities years later. Organizations running older Sitecore versions should act quickly to replace and encrypt machine keys, enforce credential hygiene, and review their environments for signs of compromise. Proactive key rotation and strict security baselines for ASP.NET deployments are essential to prevent future abuse.
