Unknown miscreants snooping around Sitecore via sample keys
Briefly

Unknown miscreants snooping around Sitecore via sample keys
"Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines. All versions of Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud remain "potentially impacted" by CVE-2025-53690, a ViewState deserialization vulnerability, if they are deployed in a multi-instance mode with customer-managed static machine keys, the business software provider warned in a Wednesday security bulletin."
"If you're stuck with one of the sample keys from Sitecore's old docs instead of generating your own, treat your install as vulnerable and rotate those keys now. "Successful exploitation of the related vulnerability might lead to remote code execution and non-authorized access to information," the vendor noted. Plus, it appears that criminals seized upon these publicly documented keys to remotely execute code and snoop around exposed instances before Sitecore issued its guidance."
"On Wednesday, in conjunction with Sitecore's bulletin, Mandiant published its own account of an attack disrupted midway, during which the attacker used the exposed ASP.NET machine key to perform RCE. Then on Thursday, the US Cybersecurity and Infrastructure Security Agency added CVE-2025-53690 to its Known Exploited Vulnerabilities catalog. Mandiant said it disrupted the attack early, which prevented the incident responders from observing the full lifecycle and determining the attackers' motivations."
Multiple Sitecore products are potentially impacted by CVE-2025-53690 when deployed in multi-instance mode with customer-managed static ASP.NET machine keys. The vulnerability stems from use of publicly documented sample machine keys included in older deployment instructions; updated deployments generate random machine keys. Attackers have exploited the exposed keys to perform ViewState deserialization leading to remote code execution and deployment of snooping malware. Mandiant disrupted an attack that used an exposed machine key, and CISA added the CVE to its Known Exploited Vulnerabilities catalog. Administrators should rotate any sample or static machine keys immediately.
Read at Theregister
Unable to calculate read time
[
|
]