Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-53690 PoC — Sitecore Products ViewState Deserialization Vulnerability

Source
https://github.com/B1ack4sh/Blackash-CVE-2025-53690
Associated Vulnerability
Title:Sitecore Products ViewState Deserialization Vulnerability (CVE-2025-53690)
Description:Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Description
CVE-2025-53690
Readme
## CVE-2025-53690: Critical Remote Code Execution Vulnerability in Sitecore XM/XP

CVE-2025-53690 is a critical vulnerability in Sitecore's Experience Manager (XM) and Experience Platform (XP), versions up to 9.0. It stems from insecure deserialization of untrusted data, specifically exploiting exposed ASP.NET machine keys. This flaw allows attackers to execute arbitrary code remotely, potentially compromising the affected systems.

### Vulnerability Details

* **Type**: Deserialization of Untrusted Data (CWE-502)
* **Severity**: Critical
* **CVSS Score**: 9.0
* **Impacted Versions**: Sitecore Experience Manager (XM) and Experience Platform (XP) through version 9.0
* **Exploitation Method**: Attackers exploit exposed machine keys from public deployment guides to perform remote code execution via ViewState deserialization attacks.

### Attack Vector

The vulnerability arises when Sitecore applications deserialize ViewState data without proper validation, allowing attackers to inject malicious code. This issue is particularly critical for internet-facing deployments using default or exposed machine keys.

### Real-World Exploitation

Mandiant Threat Defense identified active exploitation of this vulnerability, where attackers leveraged the exposed machine key to gain unauthorized access. The attack chain included:

1. **Initial Compromise**: Exploitation of the ViewState deserialization flaw to execute arbitrary code.
2. **Malware Deployment**: Installation of reconnaissance tools like WEEPSTEEL for internal network mapping.
3. **Credential Harvesting**: Collection of sensitive files and creation of local administrator accounts to dump system credentials.
4. **Lateral Movement**: Use of compromised credentials for further system access.

### Mitigation

Sitecore has released patches addressing CVE-2025-53690. Affected users are urged to apply these updates promptly. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, recommending remediation by September 25, 2025.

For detailed guidance, refer to Sitecore's Security Bulletin SC2025-005.
File Snapshot

 [4.0K]  /data/pocs/885f56d858a96c2cbcfc4e5f21787eb798322cca
└── [2.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →