A sample ASP.NET machine key in old deployment guides for Sitecore products is being exploited by attackers to launch ViewState code injection attacks that compromise servers.
According to Google’s Mandiant Threat Defense team, after initial exploitation, the attackers deploy tools to escalate privileges, add new users (including admins), establish remote access tunnels, and dump credentials that enable them to perform lateral movement to other hosts on the network.
“The attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation,” the Mandiant team said in their report.
Instances of Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) deployed in a multi-instance mode with customer-managed static machine keys using the leaked sample key are impacted by this vulnerability, tracked as CVE-2025-53690. Instances of Sitecore Managed Cloud Standard with Containers deployed in a multi-instance mode could also be impacted, according the Sitecore advisory.
A ViewState code injection attack
In the ASP.NET programming language, ViewState is a method for preserving the state of web pages across web form posts. This information is stored in a hidden HTML field named __VIEWSTATE and can be signed and encrypted with keys, called ValidationKey and DecryptionKey, stored in the application configuration file.
If these keys are stolen or leaked, attackers can use them to craft malicious ViewState payloads inside POST requests that the server will then decrypt, validate, and execute by loading them into the memory of its worker process.
These attacks are known as ViewState code injection or ViewState deserialization and are not new. Microsoft warned in December that it had seen in-the-wild attacks leveraging this technique and had identified over 3,000 publicly disclosed machine keys that could be abused.
The attack investigated by Mandiant exploited such a key that was included as a sample in deployment instructions dating back to 2017 for Sitecore XP 9.0 or earlier and Active Directory 1.4. Sitecore’s newer deployments generate unique keys for every installation, but users who deployed their instances using the old deployment guides and used the sample keys should now check their installations for signs of compromise.
From initial access to full server compromise
The threat actor behind the incident investigated by Mandiant exploited CVE-2025-53690 to inject a .NET assembly called Information.dll through ViewState. This information-gathering tool, which Mandiant tracks as WEEPSTEEL, is similar to the GhostContainer backdoor.
As part of the attack, WEEPSTEEL was used to gather information about the system and users and to give the attackers the NETWORK SERVICE privilege on the system, which is the account the Microsoft IIS worker process uses. This allowed them to exfiltrate configuration files from the application that contained sensitive information.
The attackers then downloaded additional tools previously staged in the Music and Video directories. These tools included the 7za.exe archiving utility, a SOCKS v5 tunneling tool that Mandiant tracks as EARTHWORM, VBS scripts that contain malicious commands, as well as various privilege escalation tools.
The privilege escalation tools allowed the attackers to gain SYSTEM privileges and create additional accounts on the system, including administrative ones called asp$ and sawadmin. Additional tools that were deployed and used with these accounts included a remote access tool called DWAGENT and a user token-stealing tool called GoToken.exe.
The attackers also used their access to dump the SYSTEM and SAM registry hives to extract password hashes for all the local users configured on the system. This information was used to start lateral movement via Remote Desktop Protocol (RDP) sessions. The SHARPHOUND tool that’s part of the BloodHound Active Directory analysis framework was also deployed.
The attackers managed to jump to other systems on the network by using RDP and the account credentials they collected. The EARTHWORM tunneling tool was also deployed on those systems.
Mitigation
Sitecore users who believe their deployments might be affected should immediately examine their environments for signs of compromise and malware. The Mandiant report includes indicators of compromise that can be used to build detection signatures.
Users should also rotate the machines keys within their web.config files and ensure that any <machineKey> elements in their config files are encrypted. The web.config file should be configured to be accessible to application administrators and machine keys should be automatically rotated following Microsoft’s ASP.NET ViewState security guidance.
No Responses