A critical ViewState deserialization vulnerability (CVE-2025-53690) was discovered in Sitecore products, affecting deployments using an exposed sample machine key. The attacker exploited this to achieve remote code execution, progressing from initial compromise to privilege escalation. Key events included deploying WEEPSTEEL malware for reconnaissance, archiving sensitive files, staging tools like EARTHWORM and DWAGENT, creating local admin accounts, dumping credentials, and performing Active Directory reconnaissance with SHARPHOUND. The attack demonstrated sophisticated knowledge of the target system and leveraged various techniques for persistence and lateral movement. Sitecore has addressed the issue and notified affected customers. Author: AlienVault
Related Tags:
weepsteel
dwagent
sitecore
cve-2025-53690
deserialization
T1021.006
reconnaissance
privilege escalation
T1136.001
Associated Indicators:
B3F83721F24F7EE5EB19F24747B7668FF96DA7DFD9BE947E6E24A688ECC0A52B
61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863
003191DAD15FDFF03796ECD5FDFC3BAB9FB74779
8C53E8A7A9E5A272029F65194540EC2490101A48
D29EF8C95B36A44455061D89368C53BEF29471C6
BE7E2C6A9A4654B51A16F8B10A2BE175
117305C6C8222162D7246F842C4BB014
62483E732553C8BA051B792949F3C6D0
63D22AE0568B760B5E3AABB915313E44