Sitecore: Attackers can inject malicious code – without logging in
A critical security vulnerability has been identified in the Sitecore CMS that allows attackers to inject code. Attacks are apparently underway.
(Image: Titima Ongkantong/Shutterstock.com)
The CMS Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP), which are available as cloud and on-premises solutions, are affected by a critical vulnerability. Attackers can inject and execute malicious code without prior login. Apparently, the vulnerability is already under attack on the Internet.
Sitecore describes the problem in a security announcement. It is a vulnerability of the type "Deserialization of untrusted data", through which attackers can inject malicious code that can be executed (CVE-2025-53690 / EUVD-2025-26629, CVSS 9.0, risk "critical"). Mandiant has investigated an active attack on a so-called "ViewState Deserialization" in the Sitecore CMS and discovered the vulnerability. In instructions for setting up Sitecore from 2017 and before, a sample machine key was used – the ASP.NET machine key exposed as a result was misused by attackers to execute code from the network, the IT researchers explain.
This is a vulnerable configuration of Sitecore that affects customers who have equipped a vulnerable Sitecore version with the sample key in the public instructions; in particular, Sitecore XP 9.0 and Active Directory 1.4 and earlier versions, Mandiant emphasizes. The IT security researchers discuss the exact course of the attack in the analysis, where they also list some Indicators of Compromise (IOCs).
Vulnerable versions
In the security notice, Sitecore names Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC) and Managed Cloud as potentially vulnerable. Anyone who has used the installation instructions for XP 9.0 and AD 1.4 or earlier with these software packages together with the sample machine key, which begins with the character string "BDDFE367CD..." and uses a validation key "0DAC68D020...", should act immediately.
Videos by heise
Sitecore then recommends checking the environment for suspicious or abnormal behavior, replacing the machine keys in the "web.config" file, ensuring that all system machineKey> elements of the "web.config" are encrypted, restricting access to the "web.config" to admins. Then, it implements the regular replacement of static machine keys.
Attacks on Sitecore CMS were last reported at the end of 2021. Attacks from the network without prior authentication were also possible, but the severity of the vulnerability only reached the classification "high" and not "critical" as it is now.
(dmk)
