DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-53690: Documentation-Driven Destruction: The Sitecore Static Key RCE

#security #cve #cybersecurity

Documentation-Driven Destruction: The Sitecore Static Key RCE

Vulnerability ID: CVE-2025-53690
CVSS Score: 9.0
Published: 2025-09-03

A critical remote code execution vulnerability in Sitecore products caused by the widespread use of insecure, static ASP.NET machine keys derived from official vendor documentation. Attackers can forge ViewState data to execute arbitrary code without authentication.

TL;DR

Sitecore admins copy-pasted 'example' encryption keys from official docs into production. Attackers are using these public keys to forge malicious ViewState payloads, achieving full Remote Code Execution (RCE) as SYSTEM. Active in the wild (UAT-8837).

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-502
  • CVSS: 9.0 (Critical)
  • Attack Vector: Network (Remote)
  • Authentication: None
  • Exploit Status: Active Exploitation (KEV)
  • Threat Actor: UAT-8837 (China-linked)
  • Payload: WEEPSTEEL / .NET Deserialization

Affected Systems

  • Sitecore Experience Platform (XP) <= 9.0
  • Sitecore Experience Manager (XM) <= 9.0
  • Sitecore Experience Commerce (XC) <= 9.0
  • Sitecore Managed Cloud (Legacy Configurations)
  • Sitecore Experience Platform: <= 9.0 (Fixed in: Manual Config Fix)
  • Sitecore Experience Manager: <= 9.0 (Fixed in: Manual Config Fix)

Exploit Details

  • Mandiant: Analysis of UAT-8837 exploiting ViewState deserialization in Sitecore
  • GitHub: ysoserial.net tool capable of generating ViewState payloads

Mitigation Strategies

  • Cryptographic Key Rotation
  • Configuration Encryption
  • Log Monitoring

Remediation Steps:

  1. Identify all Sitecore instances running versions <= 9.0.
  2. Generate new, random 'validationKey' and 'decryptionKey' values using a PowerShell script or online generator (ensure source is trusted).
  3. Update the 'web.config' file with the new keys.
  4. Use 'aspnet_regiis.exe' to encrypt the '' section of the configuration file.
  5. Restart the IIS application pool to apply changes.
  6. Monitor IIS logs for failed ViewState validation errors (potentially indicating broken legitimate traffic or continued attack attempts).

References

Read the full report for CVE-2025-53690 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)