Sitecore bug abused
Threat actors exploited a zero-day bug in legacy Sitecore deployments to install WeepSteel spying malware.
The bug, tracked as CVE-2025-53690, is a ViewState deserialization flaw caused by the addition of a sample ASP.NET machine key in pre-2017 Sitecore guides.
A few users reused this key, which allowed hackers who knew about the key to create valid, but infected ‘_VIEWSTATE’ payloads that fooled the server into deserializing and executing them, which led to remote code execution (RCE).
The vulnerability isn’t a bug in ASP.NET; however, it is a misconfiguration flaw due to the reuse of publicly documented keys that were never intended for production use.
About exploitation
Mandiant experts found the exploit in the wild and said that the threat actors have been exploiting the bug in various multi-stage attacks. Threat actors target the ‘/sitecore/blocked.Aspx’ endpoint, which consists of an unauthorized ViewState field, and get RCE by exploiting CVE-2025-53690.
The malicious payload threat actors deploy is WeepSteel, a spying backdoor that gets process, system, disk, and network details, hiding its exfiltration as standard ViewState responses. Mendiant experts found the RCE of monitoring commands on compromised systems- tasklist, ipconfig/all, whoami, and netstat-ano.
Mandiant observed the execution of reconnaissance commands on compr
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: