CISA orders federal agencies to patch Sitecore zero-day following hacking reports

Federal civilian agencies have until September 25 to patch a vulnerability in popular content management system Sitecore after incident responders said they disrupted a recent attack involving the bug. 

Sitecore published a bulletin on Wednesday about CVE-2025-53690, which affects several of the company’s products. A key issue with the bug is the use of a sample machine key that was included in Sitecore deployment guides from 2017 and earlier. Many customers simply used the sample machine key and never rotated it to something new. 

Mandiant said it recently stopped an attack where hackers leveraged the exposed sample machine key to gain access.

Sitecore confirmed that its updated deployments now automatically generate a unique machine key and that all affected customers have been notified. The company did not respond to requests for comment.

After the notices from Sitecore and Mandiant on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its exploited bugs catalog, giving all federal civilian agencies three weeks to patch it. 

Sitecore urged customers who used the sample key to examine their environment for suspicious behavior, rotate the machine keys, ensure sensitive information is encrypted, restrict some file access to administrators only and “implement the practice of rotating static machine keys.”

In the incident it disrupted, Mandiant noted that the unidentified threat actor’s “deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation.”

The hacker exploited the vulnerability on an internet-facing Sitecore instance before using a strain of reconnaissance malware called WEEPSTEEL. The hacker then tried to gain access to sensitive files and create administrator accounts.

Sitecore noted in its advisory that both Microsoft and Mandiant are offering guidance to those affected. Microsoft previously published its own notice in February about a limited campaign it witnessed last year involving the use of static machine keys during attacks. 

“In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to perform malicious actions on target servers,” Microsoft said. 

“Microsoft has since identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which are called ViewState code injection attacks. Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification.”