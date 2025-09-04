Security analysts at the Mandiant Threat Defense team have disrupted an attack exploiting a zero-day vulnerability in Sitecore, a popular content management system (CMS) used by companies such as HSBC, L’Oréal, Toyota and United Airlines.

In a report published on September 3, Mandiant, part of Google Cloud, said that the attack leveraged exposed ASP.NET machine keys in Sitecore deployment guides from 2017 and earlier to perform remote code execution (RCE).

ASP.NET is a web application framework developed by Microsoft for building dynamic websites, web apps and application programming interfaces (APIs). ASP.NET machine keys are cryptographic keys used to secure critical operations in ASP.NET applications.

These machine keys were exposed because of a ViewState deserialization vulnerability in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP).

Ryan Dewhurst, head of proactive threat intelligence at WatchTowr, commented: “The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones - a move we don't recommend.”

Mandiant reported the flaw to Sitecore. Wiz, a common vulnerabilities and exposures (CVE) numbering authority (CNA), disclosed it publicly on September 3 as CVE-2025-53690, with a severity score (CVSS) rating of 9.0 (critical).

When exploited, CVE-2025-53690 allows code injection in Sitecore XM and Sitecore XP up to version 9.0.

Mandiant stated that the vulnerability affects customers who deployed any version of multiple Sitecore products using the sample key exposed in publicly available deployment guides (specifically Sitecore XP 9.0 and Active Directory 1.4 and earlier versions).

Attack Chain Exploiting Sitecore Flaw

Mandiant’s rapid response team disrupted the attack before its full lifecycle could be observed, but the investigation still uncovered key adversary tactics.

The threat actor demonstrated sophisticated knowledge of the targeted product and its vulnerabilities, executing a methodical attack chain: