Google’s Mandiant cybersecurity division has warned that threat actors are exploiting an old configuration error in Sitecore deployments, allowing remote code execution (RCE) through a known ASP.NET vulnerability.
The attackers are abusing a sample machine key that was included in Sitecore deployment guides from 2017 and earlier. Using this key, malicious actors carry out ViewState deserialization attacks on outdated and internet-accessible Sitecore instances.
The flaw, tracked as CVE-2025-53690, affects Sitecore Experience Manager (XM) and Experience Platform (XP) versions prior to 9.0 that were deployed with the sample key. Sitecore has since addressed the issue, releasing updates and security guidance to help affected organizations mitigate the risk.
According to Google, the attackers used specially crafted ViewState payloads to deploy WeepSteel, a .NET-based malware capable of harvesting sensitive data and sending it back via ViewState responses.
The hackers also performed internal reconnaissance, archived the web root directory, and deployed several open-source tools for lateral movement, including EarthWorm, DWagent, and SharpHound.
In addition to creating fake administrator accounts, the attackers used a tool called GoToken, likely the GoTokenTheft utility, to steal authentication tokens. They later established Remote Desktop Protocol (RDP) access, dumped system registry hives to extract password hashes, and removed evidence by deleting the accounts after gaining broader access.