CVE ID
CVE-2025-53690
Vulnerability Name
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
- Project: Sitecore
- Product: Multiple Products
Date
- Date Added: 2025-09-04
- Due Date: 2025-09-25
Description
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53690
Related Security News
- CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation
- Hackers exploited Sitecore zero-day flaw to deploy backdoors
Top comments (0)