Encryption & Key Management,
Security Operations
Mandiant Uncovers Significant Vulnerability in Sitecore Products
Cybercriminals have exploited a recently patched zero-day vulnerability within Sitecore, a widely used content management system supporting numerous major enterprises, including HSBC, L’Oréal, Toyota, and United Airlines.
Sitecore disclosed that attackers capitalized on a cryptographic key improperly stored in certain deployments to manipulate the system, leading to malware being loaded. This key, intended solely as a sample, has been publicly documented in Sitecore’s guidance materials since at least 2017.
The Sitecore platform utilizes the Microsoft-developed ASP.NET framework to create dynamic web pages, depending on a feature known as ViewState to maintain user and webpage interactions despite the web’s inherently stateless structure. ASP.NET employs encryption techniques to secure session cookie data during user interactions.
Researchers from Google Mandiant identified the exploitation, where cybercriminals used the sample key to compel the Sitecore systems of undetermined customers to deserialize a malicious .NET assembly recognized as “Weepsteel.” The attackers delivered their harmful payload via the vulnerable ViewState function, allowing unauthorized access to an exposed web component without any authentication requirements.
Mandiant’s research indicated that the compromise of machine keys, which are essential for safeguarding ViewState integrity and confidentiality, results in the application’s inability to distinguish between legitimate and malicious ViewState payloads directed at the server. This vulnerability is cataloged as CVE-2025-53690.
Using Weepsteel, attackers gathered system and user information, exfiltrating this data disguised as benign ViewState responses. Following this reconnaissance, they archived critical application files, presumably to access sensitive items like the web.config file, which contains crucial authentication and authorization settings. They established tools in public directories, including Earthworm, a tunneling utility; Dwagent, a remote access tool; and Sharphound, an Active Directory reconnaissance tool. By creating local administrator accounts, the attackers escalated their privileges and dumped the Security Account Manager database to harvest cached credentials.
The threat actors deployed a token-stealing tool named GoTokenTheft, ensuring persistent access by disabling password expiration protocols, installing remote access agents, and rerouting traffic through covert channels. They subsequently eliminated temporary accounts once they obtained administrator credentials, transitioning to less overt access methodologies.
Both Mandiant and Sitecore advise their customers to implement machine key rotations, enable ViewState Message Authentication Code validation, and encrypt plaintext secrets within configuration files. Organizations are also encouraged to monitor for suspicious activities related to account creation, RDP usage, and tunneling traffic linked to the aforementioned tools.
This incident underscores the ongoing cybersecurity challenges faced by organizations today and highlights the need for robust preventive measures against potential exploits. The use of the MITRE ATT&CK framework can assist organizations in understanding adversary tactics, including initial access, persistence, and privilege escalation, which are critical to developing resilient cybersecurity strategies.
