VERY IMPORTANT

A critical ViewState deserialization vulnerability (CVE-2025-53690) was discovered in Sitecore products, affecting deployments using an exposed sample machine key. The attacker exploited this to achieve remote code execution, progressing from initial compromise to privilege escalation. Key events included deploying WEEPSTEEL malware for reconnaissance, archiving sensitive files, staging tools like EARTHWORM and DWAGENT, creating local admin accounts, dumping credentials, and performing Active Directory reconnaissance with SHARPHOUND. The attack demonstrated sophisticated knowledge of the target system and leveraged various techniques for persistence and lateral movement. Sitecore has addressed the issue and notified affected customers.