Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware

A critical zero-day vulnerability (CVE-2025-53690) is being actively exploited in Sitecore. This flaw, originating from old, insecure keys, allows hackers to achieve Remote Code Execution (RCE) via ViewState deserialization attacks.

For your information, this exploit hinges on a feature called ViewState, which is part of ASP.NET and helps a website remember a user’s actions. Attackers are exploiting a serious vulnerability in this feature, known as a ViewState deserialization attack. This occurs when the server, which normally trusts ViewState messages, is tricked into accepting malicious code because the security keys that protect it are known to the public.

Reportedly, hackers have been leveraging a key from Sitecore’s own deployment guides, which were published as far back as 2017. By using this publicly known key, attackers can trick the system into accepting malicious commands, which ultimately allows them to run their own code on the server, a method known ...