Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
* Last update: 05/09/2025
* Affected software:
• Sitecore Experience Manager (XM)
• Sitecore Experience Platform (XP)
• Sitecore Experience Commerce (XC)
• Sitecore Managed Cloud
* Type: CWE-502: Deserialization of Untrusted Data
* CVE/CVSS
→ CVE-2025-53690: CVSS 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sitecore https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
Sitecore delivers an enterprise-level content management system (CMS). A critical zero-day vulnerability (CVE-2025-53690) has been discovered in multiple Sitecore products, including Sitecore XP 9.0 and Active Directory 1.4 and earlier versions, where deployments were configured using sample ASP.NET machine keys published in Sitecore guides prior to 2017. This flaw allows attackers to perform attacks that result in remote code execution (RCE).
This vulnerability is actively exploited in the wild, Mandiant has observed real-world attacks leading from initial compromise to privilege escalation, credential dumping, persistence, and lateral movement within enterprise networks. Attackers have deployed custom malware, showing their intent to establish long-term footholds in affected organizations.
The impact on organizations is severe:
• Confidentiality: Attackers can steal sensitive application files (e.g., web.config) containing credentials and configuration data.
• Integrity: Malware deployment and system modification allow adversaries to tamper with critical systems.
• Availability: With SYSTEM-level access, adversaries could disable services, delete files, or disrupt business operations, potentially causing major downtime.
Organizations running affected Sitecore versions are at high risk. Immediate action is required. Update your Sitecore deployment and ensure no residual machine keys from old guides remain in use.
CVE-2025-53690: Sitecore Products (Actively Exploited, Critical)
The flaw lies in Sitecore deployments that used a publicly documented sample ASP.NET machine key, which allowed attackers to craft malicious ViewState payloads. Because the machine key is meant to ensure ViewState integrity, exposure of this key enables attackers to bypass verification and trigger arbitrary code execution.
Users who deployed any version XM, XP, XC topologies and who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable. Read the vendor’s security bulletin for detailed recommendations.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates, when available, for vulnerable devices with the highest priority and after thorough testing.
Rotate machine keys
• Rotate the machines keys within web.config file.
• Ensure any system <machineKey> elements in web.config files are encrypted.
• Restrict web.config file access to application administrators only.
• Take timely action to implement the practice of rotating static machine keys.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.