Sitecore bug abused
Threat actors exploited a zero-day bug in legacy Sitecore deployments to install WeepSteel spying malware.
The bug, tracked as CVE-2025-53690, is a ViewState deserialization flaw caused by the addition of a sample ASP.NET machine key in pre-2017 Sitecore guides.
A few users reused this key, which allowed hackers who knew about the key to create valid, but infected '_VIEWSTATE' payloads that fooled the server into deserializing and executing them, which led to remote code execution (RCE).
The vulnerability isn’t a bug in ASP.NET; however, it is a misconfiguration flaw due to the reuse of publicly documented keys that were never intended for production use.
About exploitation
Mandiant experts found the exploit in the wild and said that the threat actors have been exploiting the bug in various multi-stage attacks. Threat actors target the '/sitecore/blocked.Aspx' endpoint, which consists of an unauthorized ViewState field, and get RCE by exploiting CVE-2025-53690.
The malicious payload threat actors deploy is WeepSteel, a spying backdoor that gets process, system, disk, and network details, hiding its exfiltration as standard ViewState responses. Mendiant experts found the RCE of monitoring commands on compromised systems- tasklist, ipconfig/all, whoami, and netstat-ano.
Mandiant observed the execution of reconnaissance commands on compromised environments, including whoami, hostname, tasklist, ipconfig /all, and netstat -ano.
In the next attack stage, the threat actors installed Earthworm (a network tunneling and reverse SOCKS proxy), Dwagent (a remote access tool), and 7-Zip, which is used to make archives of the stolen information. After this, the threat actors increased access privileges by making local administrator accounts ('asp$,' 'sawadmin'), “cached (SAM and SYSTEM hives) credentials dumping, and attempted token impersonating via GoTokenTheft,” Bleeping Computer said.
Threat actors secured persistence by disabling password expiration, which gave them RDP access and allowed them to register Dwagent as a SYSTEM service.
“Mandiant recommends following security best practices in ASP.NET, including implementing automated machine key rotation, enabling View State Message Authentication Code (MAC), and encrypting any plaintext secrets within the web.config file,” the company said.
