Google has observed ViewState deserialization attacks leveraging a sample machine key exposed in older deployment guides.

Threat actors have been using an exposed ASP.NET machine key for remote code execution (RCE) on vulnerable Sitecore deployments, Google warns.

Adversaries used a sample machine key that was included in Sitecore deployment guides from 2017 and earlier and executed a ViewState deserialization attack against internet-accessible Sitecore instances.

The issue, tracked as CVE-2025-53690 (CVSS score of 9.0), is described as a deserialization of untrusted data bug affecting Sitecore Experience Manager (XM) and Experience Platform (XP) prior to version 9.0 that were deployed using the sample key exposed in the guides.

Sitecore has addressed the security defect and released an advisory to provide organizations with recommended mitigation guidance and indicators-of-compromise (IoCs).

“Sitecore has confirmed that its updated deployments automatically generate a unique machine key and that affected customers have been notified,” Google notes.

As part of the observed attacks, which were quickly disrupted, the hackers used a ViewState payload containing the WeepSteel malware, which enables internal reconnaissance.

Furthermore, Google observed the threat actor archiving the root directory of the web application (likely to obtain sensitive files), performed host and network reconnaissance, deployed open source tools for network tunnelling and remote access, and created local administrator accounts.

The attacks started with HTTP requests, for probing purposes, followed by ViewState deserialization attacks on the /sitecore/blocked.aspx page, which uses a hidden ViewState form and can be accessed without authentication.

An ASP.NET feature, ViewState stores the state of a webpage in a hidden HTML field, for persistence. Attackers can target the server to deserialize ViewState messages if validation mechanisms are missing or can be bypassed, and the exposed machine key opens the door for the fresh attack.

WeepSteel, the .NET assembly deployed in this attack, can harvest system, network, and user information, encrypt the data, and send it to the attackers as a ViewState response.

After initial compromise, the attackers exfiltrated critical configuration files by archiving the web root directory, fingerprinted the server, and deployed in public directories open source tools such as the EarthWorm tunneler, the DWagent remote access tool, and the SharpHound AD reconnaissance tool.

They then created a local administrator account mimicking the name of an ASP.NET service account, established a remote session, created a second local admin account, and executed a binary named GoToken, which appears to be GoTokenTheft, a token-stealing tool written in Golang.

The hackers then established Remote Desktop Protocol access using the newly created accounts and dumped the SYSTEM and SAM registry hives, to extract the password hashes for local users.

“The threat actor maintained persistence through a combination of methods, leveraging both created and compromised administrator credentials for RDP access. Additionally, the threat actor issued commands to maintain long-term access to accounts. This included modifying settings to disable password expiration for administrative accounts of interest,” Google notes.

The attackers were also seen deleting the created accounts after compromising other admin users, performing internal reconnaissance, and moving laterally using the compromised accounts.