Top CMS Sitecore patches critical zero-day flaw being hit by hackers

5 hours ago 1

(Image credit: Adobe)

Sitecore patched a critical zero-day deserialization flaw affecting legacy deployments
Threat actors exploited the vulnerability to deploy malware like WeepSteel
Mandiant intervened mid-attack, preventing full damage

Popular CMS platform Sitecore has patched a critical zero-day vulnerability found to be being abused in cyberattacks.

Security researchers from Mandiant observed threat actors exploiting a zero-day flaw to deploy malware, as well as other legitimate software.]

The flaw stemmed from the use of sample ASP.NET machine keys published in old deployment guides (pre-2017), and is now tracked as CVE-2025-53690. It was given a severity score of 9.0/10 (critical).

WeepSteel and other woes

The zero-day is described as a critical deserialization vulnerability affecting Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), Experience Commerce (XC), and Managed Cloud versions up to 9.0, when deployed using the sample ASP.NET machine key included in pre-2017 documentation.

XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server are apparently not impacted.

Mandiant stopped the attack mid-execution, which prevented the researchers from observing the full attack lifecycle. Still, they managed to find WeepSteel, a piece of malware designed for internal reconnaissance. This malware gathers system information, as well as process, disk, and network data. It exfiltrates it by hiding it as standard ViewState responses.

Other tools that the attackers were using included Earthworm, which is a network tunneling and reverse SOCKS proxy, Dwagent, which is a remote access tool, and the popular archiver 7-Zip.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

While Mandiant led the investigation and disrupted the attack, it did not assign a formal nation-state or criminal group attribution. That said, the tactics, tooling, and operational maturity suggest a targeted campaign by a well-resourced actor, possibly with prior experience in exploiting ASP.NET environments.

Sitecore is a digital experience platform (DXP) which counts major brands, including Nestlé, Subway, Suzuki, and Procter & Gamble, as customers to deliver personalized and scalable digital experiences.

Via BleepingComputer

Public database exposed 184 million credentials including Microsoft, Facebook, Snapchat, and government account logins
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article