Sitecore CVE 2025 53690 Exploitation Campaign

MITRE Techniques

• [T1170] External Remote Services – Actor used RDP for lateral movement and remote access, often routed through a reverse SOCKS proxy established by EARTHWORM (“traffic was routed through a reverse SOCKS proxy created by EARTHWORM to bypass security controls and obscure their activities”).
• [T1505] Server Software Component – Exploitation of ViewState deserialization vulnerability in Sitecore’s blocked.aspx endpoint to achieve remote code execution (“Initial compromise was achieved by exploiting the ViewState Deserialization vulnerability CVE-2025-53690 … resulting in remote code execution”).
• [T1204] User Execution – Malicious ViewState payloads were sent to an accessible __VIEWSTATE field and processed by the server due to a compromised machine key (“When machine keys … are compromised, the application effectively loses its ability to differentiate between legitimate and malicious ViewState payloads”).
• [T1620] Reflective Code Loading – Embedded .NET assembly (Information.dll / WEEPSTEEL) was delivered via ViewState and executed for reconnaissance (“decrypted the threat actor’s ViewState payload … contained an embedded .NET assembly named Information.dll. This assembly … functions as an internal reconnaissance tool”).
• [T1040] Network Sniffing – WEEPSTEEL and related reconnaissance collected network adapter and connection information to fingerprint the host (“NetworkAdapterInformation … active network connections” gathered by WEEPSTEEL for reconnaissance).
• [T1005] Data from Local System – Attacker archived web root including web.config to exfiltrate sensitive configuration data (“archived the contents of inetpubsitecoreSitecoreCDWebsite … contained sensitive files, such as the web.config file”).
• [T1105] Ingress Tool Transfer – Staging and deployment of tools (7za.exe, EARTHWORM, DWAGENT, SharpHound, GoToken.exe) in public directories for later execution (“Files written into the Public directory include: 7za.exe … lfe.ico (EARTHWORM) … DWAgent installer … GoToken.exe”).
• [T1068] Exploitation for Privilege Escalation – Creation of local administrator accounts and use of tools to escalate from NETWORK SERVICE to SYSTEM/Administrator (“Following initial compromise, the threat actor elevated their access from NETWORK SERVICE privileges to the SYSTEM or ADMINISTRATOR level” and commands adding asp$ and sawadmin to administrators).
• [T1003] OS Credential Dumping – Dumping SYSTEM and SAM hives to extract password hashes for local accounts (“reg save HKLMSYSTEM c:userspublicsystem.hive … reg save HKLMSAM c:userspublicsam.hive”).
• [T1059] Command and Scripting Interpreter – Use of VBScript and command execution to launch tools and execute attacker commands (“1.vbs … contained a simple VBS code to launch the EARTHWORM” and multiple command executions like net user, reg save, etc.).
• [T1078] Valid Accounts – Use and later removal of created local admin accounts and use of compromised admin accounts for RDP and lateral movement (“asp$ … sawadmin … The compromised administrator accounts were used to RDP to other hosts”).
• [T1531] Account Discovery – Discovery of privileged groups and domain admin enumeration via commands like net group domain admins and nltest (“net group domain admins … nltest /DCLIST:”).
• [T1086] PowerShell (or scripting) – Use of scripted tooling and automated commands for discovery and persistence, e.g., execution of SharpHound and archival via 7-Zip (“sh.exe -c all … C:Program Files7-Zip7zFM.exe “C:UsersPublicMusic_BloodHound.zip””).