Top CMS Sitecore patches critical zero-day flaw being hit by hackers

Sitecore patched a critical zero-day deserialization flaw affecting legacy deployments
Threat actors exploited the vulnerability to deploy malware like WeepSteel
Mandiant intervened mid-attack, preventing full damage

Popular CMS platform Sitecore has patched a critical zero-day vulnerability found to be being abused in cyberattacks.

Security researchers from Mandiant observed threat actors exploiting a zero-day flaw to deploy malware, as well as other legitimate software.]

The flaw stemmed from the use of sample ASP.NET machine keys published in old deployment guides (pre-2017), and is now tracked as CVE-2025-53690. It was given a severity score of 9.0/10 (critical).

WeepSteel and other woes

The zero-day is described as a critical deserialization vulnerability affecting Sitecore Experience Manager (XM), Sitecore Experience Platform (XP), Experience Commerce (XC), and Managed Cloud versions up to 9.0, when deployed using the sample ASP.NET machine key included in pre-2017 documentation.

XM Cloud, Content Hub, CDP, Personalize, OrderCloud, Storefront, Send, Discover, Search, and Commerce Server are apparently not impacted.

Mandiant stopped the attack mid-execution, which prevented the researchers from observing the full attack lifecycle. Still, they managed to find WeepSteel, a piece of malware designed for internal reconnaissance. This malware gathers system information, as well as process, disk, and network data. It exfiltrates it by hiding it as standard ViewState responses.

Other tools that the attackers were using included Earthworm, which is a network tunneling and reverse SOCKS proxy, Dwagent, which is a remote access tool, and the popular archiver 7-Zip.

While Mandiant led the investigation and disrupted the attack, it did not assign a formal nation-state or criminal group attribution. That said, the tactics, tooling, and operational maturity suggest a targeted campaign by a well-resourced actor, possibly with prior experience in exploiting ASP.NET environments.

Sitecore is a digital experience platform (DXP) which counts major brands, including Nestlé, Subway, Suzuki, and Procter & Gamble, as customers to deliver personalized and scalable digital experiences.