Overview

• CISA directed federal agencies to remediate by September 25 and added CVE-2025-53690 to its Known Exploited Vulnerabilities list.
• The vulnerability enables remote code execution via ViewState deserialization when deployments use publicly documented machine keys from legacy guidance.
• Mandiant disrupted an ongoing intrusion that targeted /sitecore/blocked.aspx, achieved RCE, and deployed the WEEPSTEEL reconnaissance payload.
• Investigators observed follow-on tools including EARTHWORM, DWAGENT, SHARPHOUND, and GoTokenTheft for persistence, credential access, and lateral movement.
• Sitecore issued mitigation guidance, confirmed new deployments auto-generate unique keys, and advised customers to rotate and encrypt machineKey values and hunt for indicators of compromise.