CISA and Sitecore logo with a red warning symbol indicating critical security vulnerability

Federal agencies must update Sitecore by September 25, 2025, to fix a critical flaw (CVE-2025-53690) with a CVSS score of 9.0 that enables remote code execution via exposed ASP.NET machine keys. Discovered by Mandiant, attackers exploit default machine keys—often copied from outdated deployment guides—to launch ViewState deserialization attacks, gaining initial access, escalating privileges, and moving laterally to steal data.

CISA and Sitecore logo with a red warning symbol indicating critical security vulnerabilityCISA and Sitecore logo with a red warning symbol indicating critical security vulnerability

The malware, including a .NET payload called WEEPSTEEL, facilitates reconnaissance and persistence. Threat actors create local admin accounts to dump credentials and use tools like EarthWorm, DWAgent, and SharpHound for network control.

CISA and Sitecore logo with a red warning symbol indicating critical security vulnerabilityCISA and Sitecore logo with a red warning symbol indicating critical security vulnerability

Experts warn that many Sitecore deployments remain vulnerable due to reused static keys. Organizations are advised to rotate machine keys, secure configurations, and scan for compromises immediately. Sitecore now auto-generates keys for new installs and has contacted affected customers, but the full impact is still unknown.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security