Unknown miscreants snooping around Sitecore via sample keys

Unknown miscreants snooping around Sitecore via sample keys

Briefly

"Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines. All versions of Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud remain "potentially impacted" by CVE-2025-53690, a ViewState deserialization vulnerability, if they are deployed in a multi-instance mode with customer-managed static machine keys, the business software provider warned in a Wednesday security bulletin."

"If you're stuck with one of the sample keys from Sitecore's old docs instead of generating your own, treat your install as vulnerable and rotate those keys now. "Successful exploitation of the related vulnerability might lead to remote code execution and non-authorized access to information," the vendor noted. Plus, it appears that criminals seized upon these publicly documented keys to remotely execute code and snoop around exposed instances before Sitecore issued its guidance."

"On Wednesday, in conjunction with Sitecore's bulletin, Mandiant published its own account of an attack disrupted midway, during which the attacker used the exposed ASP.NET machine key to perform RCE. Then on Thursday, the US Cybersecurity and Infrastructure Security Agency added CVE-2025-53690 to its Known Exploited Vulnerabilities catalog. Mandiant said it disrupted the attack early, which prevented the incident responders from observing the full lifecycle and determining the attackers' motivations."