Hackers Exploit Sitecore Zero-Day for Malware Delivery

Threat actors have been using an exposed ASP.NET machine key for remote code execution (RCE) on vulnerable Sitecore deployments, Google warns.

Adversaries used a sample machine key that was included in Sitecore deployment guides from 2017 and earlier and executed a ViewState deserialization attack against internet-accessible Sitecore instances.

The issue, tracked as CVE-2025-53690 (CVSS score of 9.0), is described as a deserialization of untrusted data bug affecting Sitecore Experience Manager (XM) and Experience Platform (XP) prior to version 9.0 that were deployed using the sample key exposed in the guides.

Sitecore has addressed the security defect and released an advisory to provide organizations with recommended mitigation guidance and indicators-of-compromise (IoCs).

“Sitecore has confirmed that its updated deployments automatically generate a unique machine key and that affected customers have been notified,” Google notes.

As part of the observed attacks, which were quickly disrupted, the hackers used a ViewState ...