EXECUTIVE SUMMARY:
A vulnerability tracked as CVE-2025-53690 with CVSS 9.0 affects customers who deployed Sitecore XP 9.0 or earlier with Active Directory 1.4 or earlier and certain deployments of a widely used content management system that inherited a sample ASP.NET machineKey from outdated deployment guides. The machineKey is critical for ensuring integrity and confidentiality of ASP.NET ViewState, and reuse of a known key allowed an attacker to craft malicious ViewState payloads accepted by the server, resulting in remote code execution. The attack chain began with HTTP probing of a publicly exposed page that renders a hidden __VIEWSTATE field without requiring authentication. With the compromised key, the adversary quickly transitioned from web exploitation to deeper network compromise, indicating advanced product knowledge and a systematic approach involving reconnaissance, staging, credential theft, and lateral movement. The vulnerability is now tracked officially, and modern deployments mitigate the issue by generating unique keys by default. Customers with legacy configurations are most at risk and have been alerted.
The attacker’s entry relied on ViewState deserialization abuse against an internet-facing instance: crafted POST requests to a known endpoint produced ASP.NET error events tied to ViewState verification failures, confirming misuse of the pipeline with the exposed machineKey. A decrypted ViewState blob revealed an embedded .NET assembly named Information.dll, tracked as WEEPSTEEL, designed for reconnaissance by collecting details on the operating system, processes, network adapters, and installed applications, with results exfiltrated through disguised ViewState responses. Code execution under the IIS worker process led to harvesting of configuration files, notably web config, followed by host and domain discovery. Tooling was staged in public user directories, including EARTHWORM for SOCKS proxy tunneling, DWAgent for remote access, and SharpHound for Active Directory enumeration. The actor escalated privileges by creating local administrator accounts mimicking service accounts, dumping registry hives (SAM, SYSTEM) to recover password hashes, and establishing RDP sessions tunneled through EARTHWORM. Further activity suggested the use of a token-theft utility written in Go, which attempted impersonation of security tokens to escalate privileges. The full sequence reflected a traditional progression: ViewState exploitation, configuration theft, reconnaissance, tunneling and persistence, account creation, credential dumping, and lateral movement via RDP, supported by common tools and living-off-the-land binaries.
This illustrates how legacy deployment practices can create enduring risks: a single reused machineKey undermines ASP.NET ViewState validation, exposing even a benign page as an RCE entry point. Administrators are strongly advised to ensure unique, strong machineKey values and audit historical deployments to identify configurations based on outdated guides. Detection strategies should include correlating unauthenticated POST requests with ASP.NET event logs reporting ViewState verification failures, reviewing IIS logs for anomalous traffic, and investigating suspicious activity such as unexpected admin account creation, staging of tools in unusual directories, and the presence of EARTHWORM, DWAgent, SharpHound, or token theft utilities. Containment should involve rotating application secrets, resetting exposed credentials, and monitoring for RDP access tunneled through unauthorized processes. Network defenders can further reduce risk by flagging reverse SOCKS proxy traffic and blocking suspicious outbound tunnels, while endpoints should enforce restrictions on script execution and unsigned binaries under web service accounts. Longer-term defenses require consistent configuration hygiene, elimination of shared secrets across environments, principle of least privilege for web worker processes, and proactive monitoring of exposed endpoints leveraging stateful features such as ViewState.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | – |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1136.001 | Create Account | Local Account |
| T1133 | External Remote Services | – | |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism | – |
| Credential Access | T1003.002 | OS Credential Dumping | Security Account Manager |
| T1003.004 | OS Credential Dumping | LSA Secrets | |
| Discovery | T1087.001 | Account Discovery | Local Account |
| T1087.002 | Account Discovery | Domain Account | |
| T1018 | Remote System Discovery | – | |
| T1482 | Domain Trust Discovery | – | |
| T1083 | File and Directory Discovery | – | |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Command & Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
RECOMMENDATION:
We strongly recommend you refer below link and Instructions:
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
REFERENCES:
The following reports contain further technical details: