CVE-2025-53690 POC# Sitecore Critical Deserialization (RCE) CVE-2025-53690 POC and Nuclei Template
**Short summary**
This repository hosts a detection template and supporting materials for **CVE-2025-53690 (Sitecore)**. The included Nuclei template helps scan for Sitecore instances that appear to be configured in a way that could be vulnerable to the issue described in my write-up (lab-reproduced analysis & PoC). This repo is intended for defenders, incident responders, and auditors who need to rapidly identify potentially affected hosts in their estate.
> ⚠️ **Responsible use only.** Do **not** scan or test systems you do not own or do not have explicit written permission to test. Unauthorized scanning may be illegal and will cause harm. Read the “Responsible disclosure & legal” section below.
---
## Quick start — scanning with Nuclei
1. Install Nuclei here:
https://github.com/projectdiscovery/nuclei?tab=readme-ov-file#installation
2.Clone the repo:
```bash
git clone https://github.com/ErikLearningSec/CVE-2025-53690-POC.git & cd CVE-2025-53690-POC
```
4. Scan a single host:
```bash
nuclei -t CVE-2025-53690.yaml -target https://example.com -o results.txt
```
5. Scan multiple targets (from a file):
```bash
nuclei -t CVE-2025-53690.yaml -list targets.txt -o results.txt
```
---
## How detection works (high level)
The template checks for VIEWSTATE deserialization on `/sitecore/default.aspx` endpoint ,commonly present on Sitecore installations, by using a VIEWSTATE payload that will add an arbitrary header `X-Pentest-Deser` to the response. If the response have that header, it will be a hit. This is just a *heuristic* detector — a positive result is an indicator that requires manual validation and safe follow-up testing in a controlled environment.
> Note: The template intentionally **does not** include exploit payloads or automated exploitation logic. It is designed for safe discovery only.
---
## Validation & follow-up (recommended workflow)
1. **Confirm ownership / permission.** Ensure you have authorization for the domain or IP range.
2. **Run the nuclei template** against staging first where possible.
3. **Manual validation**: If there is a match, read the detailed analysis blog below to manually check and confirm the vulnerability.
---
## Responsible disclosure & legal
- **Do not** use the templates for offensive activity.
- Use only on systems you own or have written permission to test.
- If you discover a confirmed vulnerable production system **not owned by you**, contact the owner/administrator or follow the vendor’s disclosure process.
- I accept no liability for misuse of this repository.
---
## Read the full analysis
For background, exploitation context, and recommended mitigations, read the full technical write-up:
- Vietnamese: https://sec.vnpt.vn/2025/11/Sitecore-CVE-2025-53690-Detailed-Analysis-andamp-Weaponized-POC-Why-you-shouldnt-blindly-trust-the-documentation
- English: https://eriklearningsec.com/p/cve-2025-53690/
---
## Contributing
If you find a false positive or want to improve the detection template, please open an issue or submit a pull request. Keep changes focused on detection tuning and false-positive reduction — **do not** add exploitation code.
[4.0K] /data/pocs/b5ec7275414eea2fbcba9f29f93c8b95a9705921
├── [9.3K] CVE-2025-53690.yaml
├── [1.3K] MemShellClass.cs
└── [3.2K] README.md
1 directory, 3 files