CVE-2025-53690 - Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability

Vulnerability Name

Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability

Description

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865

https://nvd.nist.gov/vuln/detail/CVE-2025-53690

Related News Articles

CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active ExploitationSeptember 6, 2025

Hackers exploited Sitecore zero-day flaw to deploy backdoorsSeptember 5, 2025