Federal civilian businesses have till September 25 to patch a vulnerability in widespread content material administration system Sitecore after incident responders mentioned they disrupted a latest assault involving the bug.
Sitecore printed a bulletin on Wednesday about CVE-2025-53690, which impacts a number of of the corporate’s merchandise. A key difficulty with the bug is using a pattern machine key that was included in Sitecore deployment guides from 2017 and earlier. Many purchasers merely used the pattern machine key and by no means rotated it to one thing new.
Mandiant mentioned it not too long ago stopped an assault the place hackers leveraged the uncovered pattern machine key to realize entry.
Sitecore confirmed that its up to date deployments now mechanically generate a singular machine key and that every one affected clients have been notified. The corporate didn’t reply to requests for remark.
After the notices from Sitecore and Mandiant on Wednesday, the Cybersecurity and Infrastructure Safety Company (CISA) added the vulnerability to its exploited bugs catalog, giving all federal civilian businesses three weeks to patch it.
Sitecore urged clients who used the pattern key to look at their surroundings for suspicious habits, rotate the machine keys, guarantee delicate data is encrypted, limit some file entry to directors solely and “implement the follow of rotating static machine keys.”
Within the incident it disrupted, Mandiant famous that the unidentified menace actor’s “deep understanding of the compromised product and the exploited vulnerability was evident of their development from preliminary server compromise to privilege escalation.”
The hacker exploited the vulnerability on an internet-facing Sitecore occasion earlier than utilizing a pressure of reconnaissance malware referred to as WEEPSTEEL. The hacker then tried to realize entry to delicate information and create administrator accounts.
Sitecore famous in its advisory that each Microsoft and Mandiant are providing steering to these affected. Microsoft beforehand printed its personal discover in February a couple of restricted marketing campaign it witnessed final 12 months involving using static machine keys throughout assaults.
“In the midst of investigating, remediating, and constructing protections towards this exercise, we noticed an insecure follow whereby builders have integrated numerous publicly disclosed ASP.NET machine keys from publicly accessible sources, equivalent to code documentation and repositories, which menace actors have used to carry out malicious actions on track servers,” Microsoft mentioned.
“Microsoft has since recognized over 3,000 publicly disclosed keys that might be used for all these assaults, that are referred to as ViewState code injection assaults. Whereas many beforehand identified ViewState code injection assaults used compromised or stolen keys which can be usually offered on darkish net boards, these publicly disclosed keys may pose a better threat as a result of they’re out there in a number of code repositories and will have been pushed into growth code with out modification.”
Recorded Future
Intelligence Cloud.
Be taught extra.
