Attackers snooping around Sitecore, dropping malware via public sample keys

Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines.

All versions of Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud remain "potentially impacted" by CVE-2025-53690, a ViewState deserialization vulnerability, if they are deployed in a multi-instance mode with customer-managed static machine keys, the business software provider warned in a Wednesday security bulletin.

The bug is due to a configuration issue - not a software hole - and affects customers using the sample key provided with deployment instructions for Sitecore XP 9.0 or earlier and Sitecore Active Directory 1.4 and earlier versions. Updated deployments automatically generate a random machine key.

If you're stuck with one of the sample keys from Sitecore's old docs instead of generating your own, treat your install as vulnerable and rotate ...