Researchers warn of zero-day vulnerability in SiteCore merchandise

Security researchers from Google on Wednesday warned of a zero-day vulnerability they found within the SiteCore content material administration system platform in reference to a ViewState deserialization assault they efficiently disrupted.

The assault concerned leveraging uncovered ASP.NET keys to carry out distant code execution, in response to a weblog publish by Google’s Mandiant Threat Defense. A pattern machine key had been uncovered in SiteCore deployment guides from 2017 and prior, according to the blog.

Researchers didn’t present any particulars on the group focused within the assault.  

The vulnerability, tracked as CVE-2025-53690, is linked to deserialization of untrusted knowledge in SiteCore Experience Manager and SiteCore Experience Platform. 

SiteCore urged customers to instantly replace their accounts through its safety patches and to take further steps to examine their environments for potential compromise, according to a bulletin released Tuesday by the corporate. The bulletin has since been up to date.

Insecure configuration

Mandiant researchers stated of their weblog publish that whereas they weren’t in a position to observe the complete assault life cycle, the attacker demonstrated “deep understanding of the compromised product.” 

The attacker behind the exploit was “using a static ASP.NET machine key” that was beforehand launched in product documentation with a view to goal uncovered situations of SiteCore, Caitlin Condon, VP of safety analysis at VulnCheck informed Cybersecurity Dive.

“The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure,” Condon stated, “and as we’ve seen plenty of times before, threat actors definitely read documentation.”