Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Sitecore ViewState Deserialization RCE via Exposed Sample machineKey

IdentifiersCVE-2025-53690CWE-502· Deserialization of Untrusted Data

CVE-2025-53690 is a critical deserialization of untrusted data vulnerability in Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) through version 9.0. The issue is described as a ViewState deserialization flaw in ASP.NET handling within Sitecore deployments that reused a publicly exposed sample machineKey from older Sitecore deployment guidance. Because the machineKey is used to validate and protect ViewState, an attacker who knows the reused sample key can forge a malicious ViewState payload that the server accepts as legitimate. The supplied content also indicates exploitation against endpoints such as /sitecore/blocked.aspx using crafted HTTP POST requests containing malicious ViewState data. Successful deserialization of attacker-controlled .NET objects can result in arbitrary code execution in the Sitecore application context, commonly noted as the IIS application pool / NETWORK SERVICE context. The vulnerability has been reported as actively exploited in the wild.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables pre-authentication remote code execution against vulnerable internet-facing Sitecore deployments using the exposed sample machineKey. An attacker can execute arbitrary code on the Sitecore server, deploy malware or backdoors such as WeepSteel, create unauthorized administrative accounts, install persistence tooling such as DWAgent, establish tunnels with tools such as Earthworm, dump credentials including SAM and SYSTEM hives, exfiltrate sensitive files such as web.config, and use the compromised host for lateral movement and broader enterprise compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrading is not possible, mitigate by urgently replacing reused sample/default machineKey values with unique strong keys, restricting public exposure of Sitecore instances where feasible, and closely monitoring Sitecore endpoints for suspicious ViewState-bearing POST requests, especially to paths such as /sitecore/blocked.aspx. Hunt for indicators of compromise noted in the content, including unexpected admin accounts such as asp$ or sawadmin, unsigned or unusual DLLs such as Information.dll in Sitecore directories, execution of dwagent.exe, ew.exe, or unexpected 7z.exe, registry hive export activity, and anomalous child processes from the Sitecore/IIS worker process. Additional defensive measures include WAF filtering for malicious ViewState patterns and limiting access to administrative or unnecessary public-facing Sitecore functionality.

Remediation

Patch, then assume compromise.

Upgrade affected Sitecore products beyond version 9.0 and apply Sitecore’s security fixes and hardening guidance referenced in the provided content. Replace any default, sample, hardcoded, or previously exposed ASP.NET <machineKey> values in web.config with unique, cryptographically strong keys generated per deployment. Review all Sitecore instances, including XM, XP, and any other deployments mentioned in the environment, for reuse of legacy sample keys from pre-2017 deployment documentation. Rotate machine keys wherever reuse is suspected, validate that no exposed sample keys remain in production, and investigate for compromise if the instance was internet-facing. Apply vendor guidance such as KB1003865 where applicable.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SitecoreExperience Commerceapplication
SitecoreExperience Managerapplication
SitecoreExperience Platformapplication
SitecoreManaged Cloudapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

118 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

118 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A critical Sitecore vulnerability that CISA reports is under active exploitation in the wild.

Read more
secpod blogNews
Jan 19, 2026
Unmasking UAT-8837: The Zero-Day Exploit That Could Ruin Your Year - SecPod Blog

A critical Sitecore ASP.NET ViewState insecure deserialization issue caused by default/sample ASP.NET machineKey values, enabling attackers to forge ViewState payloads, bypass authentication, and achieve remote code execution (RCE) (noted as running under IIS NETWORK SERVICE).

Read more
security affairsNews
Jan 17, 2026
China-linked APT UAT-8837 targets North American critical infrastructure

A zero-day ViewState deserialization vulnerability affecting SiteCore products, reportedly exploited in recent activity and associated with UAT-8837 infrastructure and TTPs.

Read more
scworldNews
Jan 16, 2026
North American critical infrastructure subjected to Chinese attacks | SC Media

A critical zero-day vulnerability in Sitecore reportedly used for initial access by the Chinese state-sponsored operation UAT-8837 against North American critical infrastructure entities.

Read more
+24 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware8

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity90

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-53690
NVD
nvd.nist.gov/vuln/detail/CVE-2025-53690
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Vendor Advisory
support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
Third Party Advisory
cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690