CVE-2025-53690 (GCVE-0-2025-53690)
Vulnerability from cvelistv5 – Published: 2025-09-03 20:04 – Updated: 2025-10-21 22:45
VLAI?
CISA KEV
Title
Sitecore Products ViewState Deserialization Vulnerability
Summary
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Severity ?
9 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Sitecore | Experience Manager (XM) |
Affected:
0 , ≤ 9.0
(semver)
|
|||||||
|
|||||||||
Credits
Mandiant Threat Defense
CISA KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 09bc0f3e-bcb8-43d3-969f-64a5dcf24ba5
Exploited: Yes
Timestamps
First Seen: 2025-09-04
Asserted: 2025-09-04
Scope
Notes: KEV entry: Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability | Affected: Sitecore / Multiple Products | Description: Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2025-09-25 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53690
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-502 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | Multiple Products |
| Due Date | 2025-09-25 |
| Date Added | 2025-09-04 |
| Vendorproject | Sitecore |
| Vulnerabilityname | Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Created: 2026-02-02 12:25 UTC
| Updated: 2026-02-06 07:17 UTC
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53690",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T03:55:32.553435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-09-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:45:18.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-04T00:00:00+00:00",
"value": "CVE-2025-53690 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Experience Manager (XM)",
"vendor": "Sitecore",
"versions": [
{
"lessThanOrEqual": "9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Experience Platform (XP)",
"vendor": "Sitecore",
"versions": [
{
"lessThanOrEqual": "9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eCustomers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Customers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mandiant Threat Defense"
}
],
"datePublic": "2025-09-03T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.\u003cp\u003eThis issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:04:48.223Z",
"orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
"shortName": "Wiz"
},
"references": [
{
"url": "https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability"
},
{
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003865"
}
],
"source": {
"discovery": "USER"
},
"title": "Sitecore Products ViewState Deserialization Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
"assignerShortName": "Wiz",
"cveId": "CVE-2025-53690",
"datePublished": "2025-09-03T20:04:48.223Z",
"dateReserved": "2025-07-08T14:21:02.028Z",
"dateUpdated": "2025-10-21T22:45:18.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2025-53690",
"cwes": "[\"CWE-502\"]",
"dateAdded": "2025-09-04",
"dueDate": "2025-09-25",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003865 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53690",
"product": "Multiple Products",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. ",
"vendorProject": "Sitecore",
"vulnerabilityName": "Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-53690\",\"sourceIdentifier\":\"9947ef80-c5d5-474a-bbab-97341a59000e\",\"published\":\"2025-09-03T20:15:33.473\",\"lastModified\":\"2025-10-30T20:39:16.593\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"9947ef80-c5d5-474a-bbab-97341a59000e\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0}]},\"cisaExploitAdd\":\"2025-09-04\",\"cisaActionDue\":\"2025-09-25\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability\",\"weaknesses\":[{\"source\":\"9947ef80-c5d5-474a-bbab-97341a59000e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"9.0\",\"matchCriteriaId\":\"40097CA2-94C2-4CBD-B94C-10B5A8F282FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"9.0\",\"matchCriteriaId\":\"96C832B3-FB9D-443A-A501-65BFF0A47092\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"9.0\",\"matchCriteriaId\":\"8F60EDF8-6CCE-4440-A4FB-337FBFC881DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"520CF670-01A2-479F-B637-C413A82463E0\"}]}]}],\"references\":[{\"url\":\"https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability\",\"source\":\"9947ef80-c5d5-474a-bbab-97341a59000e\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003865\",\"source\":\"9947ef80-c5d5-474a-bbab-97341a59000e\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53690\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-05T03:55:32.553435Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-09-04\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-09-04T00:00:00+00:00\", \"value\": \"CVE-2025-53690 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-03T20:14:09.184Z\"}}], \"cna\": {\"title\": \"Sitecore Products ViewState Deserialization Vulnerability\", \"source\": {\"discovery\": \"USER\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Mandiant Threat Defense\"}], \"impacts\": [{\"capecId\": \"CAPEC-242\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-242 Code Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Sitecore\", \"product\": \"Experience Manager (XM)\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Sitecore\", \"product\": \"Experience Platform (XP)\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.0\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-09-03T18:00:00.000Z\", \"references\": [{\"url\": \"https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability\"}, {\"url\": \"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003865\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.\u003cp\u003eThis issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"Customers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(254, 254, 254);\\\"\u003eCustomers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"9947ef80-c5d5-474a-bbab-97341a59000e\", \"shortName\": \"Wiz\", \"dateUpdated\": \"2025-09-03T20:04:48.223Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-53690\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T22:45:18.827Z\", \"dateReserved\": \"2025-07-08T14:21:02.028Z\", \"assignerOrgId\": \"9947ef80-c5d5-474a-bbab-97341a59000e\", \"datePublished\": \"2025-09-03T20:04:48.223Z\", \"assignerShortName\": \"Wiz\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…