The Reveal Platform
Intel Name: Viewstate deserialization zero-day vulnerability in sitecore products (cve-2025-53690)
Date of Scan: September 4, 2025
Impact: High
Summary: A ViewState deserialization vulnerability impacted Sitecore deployments that used a sample machine key published in Sitecore’s deployment guides prior to 2017. Attackers exploited this exposed ASP.NET machine key to achieve remote code execution. The team collaborated directly with Sitecore to resolve the issue. This vulnerability is tracked as CVE-2025-53690 and affects customers who deployed certain Sitecore products—including Sitecore XP 9.0 and Active Directory 1.4 or earlier—using the sample key. Sitecore has since confirmed that updated deployments automatically generate unique machine keys, and affected customers have been notified.
