How Attackers Exploited ViewState Deserialization to Breach Sitecore Deployments

A sophisticated cyber campaign has targeted organizations running Sitecore products, exploiting a critical zero-day flaw (CVE-2025-53690). Attackers gained remote code execution by abusing exposed ASP.NET machine keys, showcasing the ongoing risks of insecure configurations and emphasizing the need for robust cryptographic practices in enterprise environments.

Dissecting the Attack Chain

• Initial Compromise: Publicly accessible Sitecore endpoints, especially /sitecore/blocked.aspx Copy, were exploited through a ViewState deserialization vulnerability. The reuse of sample machine keys from outdated documentation let attackers bypass key security controls using malicious payloads.
  
  
• Payload Delivery: Custom .NET assemblies, notably the WEEPSTEEL reconnaissance tool, were delivered within the malicious ViewState, gathering system, user, and network information for exfiltration via fake __VIEWSTATE Copy fields.
  
  
• Tool Deployment: Attackers leveraged open-source tools in public directories:
  • EARTHWORM established covert SOCKS proxy tunnels for persistent remote access.
  • DWAGENT enabled remote desktop sessions with elevated privileges.
  • SHARPHOUND facilitated deep Active Directory reconnaissance.
    
    
• Privilege Escalation: With tools like GoTokenTheft, attackers created local admin accounts, extracted credential hives, and impersonated privileged users to further expand access.
  
  
• Lateral Movement: Compromised admin credentials enabled RDP access to additional hosts, where reconnaissance and deployment of EARTHWORM continued, broadening the attackers’ reach.
  
  
• Persistence and Cleanup: To retain access, password expiration was disabled, DWAGENT was installed as a service, and initial suspicious accounts were eventually removed in favor of using compromised legitimate credentials.

Technical Analysis

• ViewState Deserialization: Attackers crafted encrypted ViewState payloads using known machine keys, bypassing server validation and enabling arbitrary code execution on target systems.
  
  
• Reconnaissance and Exfiltration: After gaining a foothold, adversaries exfiltrated sensitive files like web.config Copy, surveyed system and domain environments, and searched for privileged credentials, including those embedded in Group Policy Objects.
  
  
• Tooling and Execution: Utilities such as 7-Zip, custom scripts, and public reconnaissance tools were staged for operational use. EARTHWORM ensured stealthy communication, while DWAGENT offered high-privilege remote access for ongoing operations.
  
  
• Indicators of Compromise: Defenders can identify breaches through artifact traces, left by the campaign such as unique account names (e.g., asp$ Copy, sawadmin Copy), malware hashes, and command-and-control infrastructure.

Mitigation Steps

• Rotate Machine Keys: Always configure deployments with unique, cryptographically strong machine keys, never reuse samples or documentation defaults.
  
  
• Enable ViewState MAC: Enforcing ViewState Message Authentication Code validation is crucial to prevent tampering and unauthorized code execution.
  
  
• Harden Configuration Files: Encrypt sensitive information in web.config Copy and limit file access to essential personnel only.
  
  
• Monitor for IOCs: Continuously track suspicious accounts, file hashes, and network indicators highlighted in threat intelligence reports.
  
  
• Stay Updated: Regularly follow security advisories and promptly apply hotfixes from Sitecore and Microsoft to close vulnerabilities.

Takeaway

This incident powerfully illustrates the dangers posed by insecure defaults and legacy configurations. Organizations must take proactive steps, like rotating cryptographic keys, hardening configurations, and staying vigilant through threat monitoring, to defend their platforms against evolving multi-stage attacks.

Source: Google Cloud Threat Intelligence Blog