Date: 09/04/2025
Severity: High
Summary
A ViewState deserialization vulnerability impacted Sitecore deployments that used a sample machine key published in Sitecore’s deployment guides prior to 2017. Attackers exploited this exposed ASP.NET machine key to achieve remote code execution. The team collaborated directly with Sitecore to resolve the issue. This vulnerability is tracked as CVE-2025-53690 and affects customers who deployed certain Sitecore products—including Sitecore XP 9.0 and Active Directory 1.4 or earlier—using the sample key. Sitecore has since confirmed that updated deployments automatically generate unique machine keys, and affected customers have been notified.
Indicators of Compromise (IOC) List
IP Address : | 130.33.156.194 103.235.46.102 |
Hash : | 117305c6c8222162d7246f842c4bb014
a39696e95a34a017be1435db7ff139d5
f410d88429b93786b224e489c960bf5c
be7e2c6a9a4654b51a16f8b10a2be175
62483e732553c8ba051b792949f3c6d0
63d22ae0568b760b5e3aabb915313e44
a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307
b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b
61f897ed69646e0509f6802fb2d7c5e88c3e3b93c4ca86942e24d203aa878863
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
IP Address : | dstipaddress IN ("103.235.46.102","130.33.156.194") or srcipaddress IN ("103.235.46.102","130.33.156.194") |
Hash 1: | sha256hash IN ("b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b","61f897ed69646e0509f6802fb2d7c5e88c3e3b93c4ca86942e24d203aa878863","a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307")
|
Hash 2 : | md5hash IN ("a39696e95a34a017be1435db7ff139d5","63d22ae0568b760b5e3aabb915313e44","117305c6c8222162d7246f842c4bb014","f410d88429b93786b224e489c960bf5c","be7e2c6a9a4654b51a16f8b10a2be175","62483e732553c8ba051b792949f3c6d0")
|
Reference:
https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability