Description

This article reports a potentially Critical Vulnerability (SC2025-005, CVE-2025-53690) in the configuration of some Sitecore products, for which there is a solution available. Successful exploitation of the related vulnerability might lead to remote code execution and non-authorized access to information.
We encourage Sitecore customers and partners to familiarize themselves with the information that follows and follow Sitecore guidance for any affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.
The vulnerability may impact the following Sitecore products

Sitecore Products	Impact
Experience Manager (XM)	Potentially impacted *, **
Experience Platform (XP)
Experience Commerce (XC)
Managed Cloud	Potentially impacted**
XM Cloud	Not impacted
Content Hub	Not impacted
CDP and Personalize	Not impacted
OrderCloud	Not impacted
Storefront (formerly Four51 Storefront)	Not impacted
Send	Not impacted
Discover	Not impacted
Search	Not impacted
Commerce Server	Not impacted

* Customers deploying using the sample key provided with deployment instructions for XP 9.0 or earlier and Active Directory 1.4 are impacted by this configuration vulnerability and should follow their documented procedures for the application of the appropriate patches. Managed Cloud Premium customers are able to reach out to their named Solutions Engineer to receive direct support with the patch installation.

** This configuration vulnerability may impact all versions XM, XP, XC topologies for all releases if deployed in a multi-instance mode with customer-managed static machine keys and may impact Managed Cloud Standard with Containers environments if deployed in a multi-instance mode.  

This Security Bulletin might be updated as further details are discovered;  the History of updates section will provide a detailed list of all changes.

If you want to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

Severity Definitions

To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.

Solution

• Customers who deployed any version XM, XP, XC topologies and who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable and should immediately follow Sitecore guidance including:
  • Examine their environment for suspicious or anomalous behaviour.
  • Rotate the machines keys within web.config file.
  • Ensure any system <machineKey> elements in web.config files are encrypted.
  • Restrict web.config file access to application administrators only.
  • Take timely action to implement the practice of rotating static machine keys.
    
    
• Customers with configurations that require static machine keys should follow Sitecore guidance for the rotation of machine keys as a best practice or if the compromise of their machine keys is suspected.
  
  
• Additionally, following the guidance from Microsoft Threat Intelligence, Mandiant Threat Intelligence and Sitecore, we recommend examining your environment for suspicious behavior in addition to rotating and protecting your ASP.NET machine keys and other secrets. 
  Following the disclosure by Microsoft Threat Intelligence of Code injection attacks using publicly disclosed ASP.NET machine keys and Disrupting active exploitation of on-premises Sharepoint exploits targeting vulnerabilities (CVE-2025-53770 and CVE-2025-53771), Mandiant Threat Defence teams have observed the activity by an unattributed threat actor using a static ASP.NET machine key to perform ViewState Code Injection against a ASP.NET environments, including the use of a public, static ASP.NET machine key against Sitecore on-premises deployment. Sitecore has been working with Mandiant to resolve identified findings and vulnerabilities.  
  Sitecore Instructions can be found here: Security Hardening: protectecting ASP.NET machineKey from unauthorized access
  
  

FAQ

Does the vulnerability impact Managed Cloud subscriptions?
The vulnerability might impact both Managed Cloud Standard and Managed Cloud Premium subscriptions. Apply the solution above to mitigate the vulnerability.

Additional references

Mandiant: https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability

History of updates

• 03-Sep-2025: published the article.