In a startling disclosure on September 4, 2025, Mandiant and Sitecore revealed an active zero-day vulnerability—CVE-2025-53690—in popular Sitecore products.
Attackers exploited exposed ASP.NET machine keys to craft malicious ViewState payloads, leading to full remote code execution and deep network infiltration.
The flaw, rooted in legacy deployment guides, impacted numerous on-premises and customer-managed deployments, prompting urgent advisories and patches from Sitecore and its partners.
Legacy Machine Keys Enable ViewState Attacks
Sitecore’s own deployment documentation for versions XP 9.0 and Active Directory 1.4 and earlier included sample ASP.NET <machineKey> values intended for demonstration.
These static keys, when left unchanged, allowed threat actors to bypass ViewState integrity checks—an essential defense in ASP.NET’s mechanism for preserving page state.
By posting a specially crafted ViewState to the publicly accessible /sitecore/blocked.aspx endpoint, attackers achieved initial server compromise.
IIS logs captured HTTP POST requests triggering “ViewState verification failed” errors, confirming the adversary’s possession of the legitimate machine key and use of tools like ysoserial.net to generate malicious payloads.
Once deserialized, the payload activated a .NET assembly named WEEPSTEEL, a reconnaissance tool that harvested system and network configurations.
The malware serialized information about operating system details, disk partitions, network adapters, and running processes into JSON, then exfiltrated it disguised as benign ViewState data.
This covert channel enabled attackers to map the victim environment without raising immediate alarms.
Foothold, Escalation, and Lateral Movement
Following initial code execution under the NETWORK SERVICE account, the threat actor immediately archived the web root, targeting sensitive files such as web.config to retrieve additional configuration secrets.
Host reconnaissance commands—whoami, ipconfig, tasklist /svc, and more—allowed detailed environment profiling. Public directories like C:\Users\Public\Music served as staging grounds for tools including:
- EARTHWORM – an open-source reverse SOCKS proxy enabling covert tunnels to C2 servers at 130.33.156[.]194:443 and 103.235.46[.]102:80.
- DWAGENT – a legitimate remote access tool installed as a SYSTEM service for persistent elevated access.
- SHARPHOUND – part of the BloodHound suite, used for in-depth Active Directory reconnaissance.
Privilege escalation followed via the creation of deceptive local administrator accounts (asp$ and sawadmin). Using these accounts, the attacker dumped SYSTEM and SAM registry hives to extract password hashes and gain domain-level credentials.
Attempts to steal process tokens with the GoTokenTheft tool further underlined the adversary’s sophistication.
With valid administrator credentials, the attacker pivoted across hosts via RDP, issuing internal discovery commands and later removing the temporary accounts to erase traces.
Urgent Sitecore Mitigations and Best Practices
In response to these revelations, Sitecore published Security Bulletin SC2025-005, urging customers to examine all environments for anomalous activity and rotate any static machine keys in web.config. Key recommendations include:
- Automate Machine Key Rotation: Implement periodic regeneration of unique ASP.NET
<machineKey>values to prevent long-term reuse. - Enable ViewState MAC and Encryption: Ensure Web Forms ViewState validation is active and encrypted to block unauthorized deserialization.
- Secure Configuration Files: Restrict access to
web.configand encrypt critical sections using ASP.NET’s protected configuration. - Monitor for IOCs: Leverage Google Security Operations and threat intelligence feeds to detect known file hashes (e.g., WEEPSTEEL, EARTHWORM, GoToken.exe) and network indicators (e.g., 130.33.156[.]194, 103.235.46[.]102).
Managed Cloud customers on Standard and Premium tiers have already received direct notifications, with automated machine key generation enabled in newer Sitecore releases. Those on legacy topologies must follow Sitecore’s patch and rotation guides without delay.
According to the report, Microsoft’s earlier advisory on public ASP.NET machine key disclosures and Mandiant’s disruption of similar SharePoint attacks underscore the broader risks of static key usage.
Organizations running ASP.NET applications are advised to apply these lessons universally, beyond Sitecore, to safeguard against ViewState deserialization and related code injection threats.
By swiftly addressing these configuration oversights and adopting robust key management practices, Sitecore customers can fortify their deployments against advanced adversaries who increasingly target application-layer weaknesses to achieve deep network penetration.
Indicators of Compromise (IoCs):
File-Based
| MD5 | SHA-256 | Description / Filenames |
|---|---|---|
| 117305c6c8222162d7246f842c4bb014 | a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307 | WEEPSTEEL (Information.dll) |
| a39696e95a34a017be1435db7ff139d5 | b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b | EARTHWORM (lfe.ico, ufp.exe, ufp.ico) |
| f410d88429b93786b224e489c960bf5c | n/a | Helper.ico, helper.exe |
1.vbs | ||
| be7e2c6a9a4654b51a16f8b10a2be175 | n/a | main.exe |
| 62483e732553c8ba051b792949f3c6d0 | n/a | GoToken.exe |
| 63d22ae0568b760b5e3aabb915313e44 | 61f897ed69646e0509f6802fb2d7c5e88c3e3b93c4ca86942e24d203aa878863 | SharpHound |
Network-Based
| IP:Port |
|---|
| 130.33.156[.]194:443 |
| 130.33.156[.]194:8080 |
| 103.235.46[.]102:80 |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
