Sitecore CMS Provider Patches Critical Zero-Day Vulnerability That Was Exploited
In a recent development, cybersecurity firm WatchTowr has revealed a series of vulnerabilities in Sitecore products that could potentially be chained together for large-scale attacks. This revelation comes after Mandiant's Threat Defense team disrupted an attack exploiting a zero-day vulnerability in Sitecore, a popular content management system used by numerous organisations globally, including HSBC, L'Oréal, Toyota, and United Airlines.
The vulnerability, identified as CVE-2025-53690, was found to affect customers who deployed any version of multiple Sitecore products using a sample key exposed in publicly available deployment guides. Specifically, Sitecore XP 9.0 and Active Directory 1.4 and earlier versions were found to be vulnerable.
The attack leveraged exposed ASP.NET machine keys in Sitecore deployment guides from 2017 and earlier to perform remote code execution (RCE). When exploited, CVE-2025-53690 allows code injection in Sitecore XM and Sitecore XP up to version 9.0.
Ryan Dewhurst, head of proactive threat intelligence at WatchTowr, commented that the issue stemmed from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones. He further stated that the blast radius of the attack remains unknown.
Several organisations, including multiple U.S. civilian federal agencies, used Sitecore software systems affected by the CVE-2025-53690 vulnerability before addressing the issue. The vulnerability was due to the use of a sample machine key from Sitecore implementation guides of 2017 and earlier that many customers never replaced, allowing attackers to gain system access until patches and notifications were issued by Sitecore.
Mandiant's rapid response team disrupted the attack before its full lifecycle could be observed, but the investigation still uncovered key adversary tactics. Caitlin Condon, a security analyst at Mandiant, stated that this attack is another piece of evidence that "threat actors definitely read documentation." She also advised impacted customers to rotate their machine keys immediately.
Sitecore released a security advisory on September 3 for customers to mitigate the threat, and the company's latest deployments now automatically generate unique machine keys. Impacted customers have been notified by Sitecore.
CVE-2025-53690 is a severe vulnerability, exhibiting all the characteristics that typically define severe vulnerabilities. The machine keys, which are cryptographic keys used to secure critical operations in ASP.NET applications, were exposed due to a ViewState deserialization vulnerability in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP).
The threat actor demonstrated sophisticated knowledge of the targeted product and its vulnerabilities, executing a methodical attack chain. Caitlin Condon stated that this attack is another piece of evidence that "threat actors definitely read documentation."
Network access concerns also arise from this incident. Rotating keys and locking down configurations aren't enough if threat actors were able to gain access to an organisation's network. It underscores the importance of maintaining robust security measures and vigilance in the face of evolving threats.
