Sitecore Zero-Day Sparks New Round of ViewState Threats

Summary

A critical Sitecore zero-day (CVE-2025-53690) is being actively exploited in ViewState deserialization attacks affecting Sitecore Experience Manager (XM), Experience Platform (XP) and Experience Commerce. Mandiant found attackers used an exposed ASP.NET machineKey — pasted in older Sitecore documentation — to craft malicious ViewState data and achieve remote code execution. The incident was interrupted by Mandiant response, but it joins a string of ViewState-related exploits this year tied to exposed or improperly protected machineKey values.

Key Points

CVE-2025-53690 is an active Sitecore ViewState deserialization zero-day used for remote code execution.
Attackers leveraged a sample ASP.NET machineKey published in older Sitecore deployment guides to sign malicious ViewState data.
Mandiant disrupted the attack during incident response, but full attack chains remain a concern.
Microsoft previously flagged ~3,000 publicly exposed ASP.NET machineKeys that can be weaponised for similar ViewState attacks.
Other recent ViewState-related zero-days and breaches this year (CentreStack, ConnectWise/ScreenConnect, SharePoint) show the technique is recurring and opportunistic.
Sitecore advises rotating and securing machineKey entries, encrypting any in web.config and restricting web.config access to administrators only.
Hidden ViewState forms (for example the /sitecore/blocked.aspx page) that do not require authentication are attractive targets for deserialization attacks.

Content Summary

Mandiant’s investigation uncovered active exploitation of a Sitecore ViewState deserialization flaw where attackers used a sample machineKey published in older Sitecore docs. The vulnerability enables attackers to craft signed ViewState payloads and perform RCE. Though Mandiant interrupted the observed attack, the vulnerability underscores a broader problem: widely available or poorly protected ASP.NET machineKeys are being reused or found in code repositories and documentation, making many servers vulnerable to deserialization and code-injection attacks. The article also places the Sitecore zero-day in context with other ViewState exploitation incidents this year and relays Sitecore’s remediation guidance.

Context and Relevance

This is part of a clear trend in 2025: weaponisation of exposed ASP.NET machineKeys and ViewState deserialization as an effective attack vector. Organisations running Sitecore or any ASP.NET apps should treat publicly disclosed or default/stub machineKey values as urgent risk items. The danger is not only immediate RCE but also stealthy persistence and lateral movement once an attacker gains foothold. The piece ties recent disclosures and breaches together to show opportunistic exploitation rather than a single linked campaign.

Why should I read this?

Short version: if you run Sitecore or manage ASP.NET apps, stop scrolling — check your web.configs now. The article saves you time by explaining how a copy-paste sample key in old docs turned into an active zero-day exploit. It gives the how and why, and points to the straightforward fixes (rotate keys, encrypt , lock down web.config). Consider this a high-priority hygiene alert, not just another vulnerability blip.