Threat actors have been exploiting a zero-day vulnerability in legacy Sitecore deployments to deploy WeepSteel reconnaissance malware.
The flaw, tracked under CVE-2025-53690, is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2017 Sitecore guides.
Some customers reused this key in production, allowing attackers with knowledge of the key to craft valid, but malicious '_VIEWSTATE' payloads that tricked the server into deserializing and executing them, leading to remote code execution (RCE).
The flaw isn't a bug in ASP.NET itself, but a misconfiguration vulnerability created by reusing publicly documented keys that were never meant for production.
Exploitation activity
Mandiant researchers, who discovered the malicious activity in the wild, report that threat actors have been leveraging the flaw in multi-stage attacks.
The attackers target the '/sitecore/blocked. aspx' endpoint, which contains an unauthenticated ViewState field, and achieve RCE under the IIS NETWORK SERVICE account by leveraging CVE-2025-53690.
The malicious payload they drop is WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information, disguising its exfiltration as standard ViewState responses.
WeepSteel's information collection
Source: Mandiant
... continue reading