Top CMS Sitecore patches critical zero-day flaw being hit by hackers

News
By published

Flaw was being used to deploy reconnaissance malware

Dark Web monitoring
(Image credit: Adobe)
  • Sitecore patched a critical zero-day deserialization flaw affecting legacy deployments
  • Threat actors exploited the vulnerability to deploy malware like WeepSteel
  • Mandiant intervened mid-attack, preventing full damage

Popular CMS platform Sitecore has patched a critical zero-day vulnerability found to be being abused in cyberattacks.

Security researchers from Mandiant observed threat actors exploiting a zero-day flaw to deploy malware, as well as other legitimate software.]

The flaw stemmed from the use of sample ASP.NET machine keys published in old deployment guides (pre-2017), and is now tracked as CVE-2025-53690. It was given a severity score of 9.0/10 (critical).

WeepSteel and other woes

The zero-day is described as a critical deserialization vulnerability affecting Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), Experience Commerce (XC), and Managed Cloud versions up to 9.0, when deployed using the sample ASP.NET machine key included in pre-2017 documentation.

XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server are apparently not impacted.

Mandiant stopped the attack mid-execution, which prevented the researchers from observing the full attack lifecycle. Still, they managed to find WeepSteel, a piece of malware designed for internal reconnaissance. This malware gathers system information, as well as process, disk, and network data. It exfiltrates it by hiding it as standard ViewState responses.

Other tools that the attackers were using included Earthworm, which is a network tunneling and reverse SOCKS proxy, Dwagent, which is a remote access tool, and the popular archiver 7-Zip.

While Mandiant led the investigation and disrupted the attack, it did not assign a formal nation-state or criminal group attribution. That said, the tactics, tooling, and operational maturity suggest a targeted campaign by a well-resourced actor, possibly with prior experience in exploiting ASP.NET environments.

Sitecore is a digital experience platform (DXP) which counts major brands, including Nestlé, Subway, Suzuki, and Procter & Gamble, as customers to deliver personalized and scalable digital experiences.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.