Zero-Day Exploited in Sitecore Deployments to Deploy WeepSteel Malware

By Amelia Davies | SAN FRANCISCO – 2025/09/05 11:15:11

Cybersecurity researchers have uncovered active exploitation of a zero-day vulnerability affecting older Sitecore deployments. The attacks involve the deployment of WeepSteel, a reconnaissance malware.

Identified as CVE-2025-53690, the vulnerability stems from viewstate deserialization issues. This is due to the inclusion of a sample ASP.NET machine key in outdated Sitecore documentation predating 2017.

Reportedly, some Sitecore customers implemented the sample key in thier production environments. This allowed malicious actors to exploit the vulnerability by crafting ‘_VIEWSTATE’ payloads. These payloads tricked the server into executing unauthorized code, leading to remote code execution (RCE).

the vulnerability is not an inherent flaw in ASP.NET, but rather a misconfiguration issue arising from the reuse of publicly available keys not intended for production use.

exploitation Details

The attackers target the ‘/sitecore/blocked. aspx’ endpoint, which contains an unauthenticated ViewState field.

According to Mandiant, the firm that discovered the attacks, threat actors are exploiting the vulnerability in multi-stage attacks. The attackers are targeting the ‘/sitecore/blocked. aspx’ endpoint, which contains an unauthenticated ViewState field. this allows them to achieve RCE under the IIS NETWORK SERVICE account.

The malicious payload deployed is WeepSteel, a reconnaissance backdoor. It collects system, process, disk, and network information, disguising data exfiltration as standard viewstate responses.

Researchers at Mandiant observed the execution of reconnaissance commands on compromised systems, including commands such as whoami, hostname, tasklist, ipconfig /all, and netstat -ano.

in subsequent stages, the attackers deployed Earthworm (a network tunneling and reverse SOCKS proxy), dwagent (a remote access tool), and 7-Zip, which was used to archive stolen data.

The attackers then escalated privileges by creating local administrator accounts (‘asp$’, ‘sawadmin’), dumping cached credentials (SAM and SYSTEM hives), and attempting token impersonation via GoTokenTheft.

To ensure persistence, password expiration was disabled for these accounts, granting them RDP access, and dwagent was registered as a SYSTEM service.

Mitigation Steps for CVE-2025-53690

CVE-2025-53690 affects sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, up to version 9.0, when deployed using the sample ASP.NET machine key included in documentation released before 2017.

The following Sitecore products are not affected: XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server.

Sitecore has released a security bulletin in conjunction with Mandiant’s findings. The bulletin warns that multi-instance deployments using static machine keys are also at risk.

Administrators of potentially affected systems are advised to immediately replace all static <machinekey> values in web.config with new, unique keys and ensure that the <machinekey> element within web.config is encrypted.

it is indeed generally recommended to implement regular static machine key rotation as a continuous security practice.

further information on securing ASP.NET machine keys from unauthorized access can be found here.