A critical zero-day vulnerability in Sitecore (CVE-2025-53690) is being actively exploited by attackers using exposed machine keys from old documentation. The flaw affects Sitecore Experience Manager, Platform, and Commerce products through ViewState deserialization attacks.
Mandiant discovered attackers leveraging sample machine keys that Sitecore included in deployment guides from 2017 and earlier to execute remote code on servers. This continues a troubling trend of ViewState attacks in 2024, including breaches at ConnectWise and vulnerabilities in Microsoft SharePoint.
While these attacks appear unrelated, they highlight a persistent problem: organizations using default or sample keys instead of generating secure ones. Sitecore urges customers to rotate machine keys, encrypt web.config files, and monitor for suspicious activity targeting the /sitecore/blocked.aspx page.
Source: Dark Reading