Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware

A critical zero-day vulnerability (CVE-2025-53690) is being actively exploited in Sitecore. This flaw, originating from old, insecure keys, allows hackers to achieve Remote Code Execution (RCE) via ViewState deserialization attacks.

For your information, this exploit hinges on a feature called ViewState, which is part of ASP.NET and helps a website remember a user’s actions. Attackers are exploiting a serious vulnerability in this feature, known as a ViewState deserialization attack. This occurs when the server, which normally trusts ViewState messages, is tricked into accepting malicious code because the security keys that protect it are known to the public.

Reportedly, hackers have been leveraging a key from Sitecore’s own deployment guides, which were published as far back as 2017. By using this publicly known key, attackers can trick the system into accepting malicious commands, which ultimately allows them to run their own code on the server, a method known as Remote Code Execution (RCE).

****From Simple Probe to Full Control****

The attack, as observed by Mandiant, follows a detailed multi-step process. It starts with the hackers probing web servers before focusing on a specific Sitecore page that uses a hidden ViewState form. Once they gain a foothold, they quickly deploy a reconnaissance tool, the WEEPSTEEL malware, to gather critical information about the system.

With initial access secured, the attackers moved to steal sensitive configuration files and then deployed a suite of open-source tools to expand their control. This included EARTHWORM for creating secret tunnels, DWAGENT for remote access, and SHARPHOUND for mapping the network. They then created and used new local administrator accounts to steal user credentials, allowing them to move deeper into the network. This highlights the sophisticated and methodical approach of the attackers.

****Warning****

In an urgent comment on the discovery, Ryan Dewhurst, head of proactive threat intelligence at watchTowr, pointed out that the vulnerability’s cause is a straightforward mistake by Sitecore users. “The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones,” he noted.

It is worth noting that Sitecore, a Sitecore is a digital experience and content management platform, has confirmed that new deployments will now automatically generate unique keys, and all affected customers have been contacted. Mandiant and Google were able to disrupt the attacks before they could fully unfold. However, Dewhurst warned that the “wider impact has not yet surfaced, but it will,” emphasising the potential for more widespread damage in the near future.