Updated:
Status:
CVEs:
Sitecore products are vulnerable to a ViewState deserialization vulnerability. This issue occurs when publicly documented machine keys are reused in production deployments. Upon exploitation of this vulnerability, an attacker can craft malicious ViewState payloads to execute code on the system.
Who is affected?
All versions of these products are potentially vulnerable:
- Sitecore Experience Manager (XM)
- Sitecore Experience Platform(XP)
- Sitecore Experience Commerce (XC)
- Sitecore Managed Cloud
What can I do?
To mitigate this vulnerability, ensure that default machine keys are not in use and rotate machine keys regularly.
Configuration changes are required to resolve this vulnerability. Deployments using the default, publicly documented machine keys must rotate them to resolve this vulnerability. Follow Sitecore's guidance on how to rotate and manage machine keys.
To maintain the confidentiality of machine keys, customers should ensure that access to the web.config file is restricted and that any machine keys it contains are encrypted.
For more information from Sitecore, see:
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
- Analytics: On September 5, 2025, Alert Logic released a log-based analytic to detect CVE-2025-53690 IIS View State errors targeting SiteCore URI paths.
- Tripwire Enterprise: On October 1, 2025, Tripwire released Indicator of Compromise detection for Tripwire Enterprise. This coverage is available in High Impact Vulnerabilities (Windows) version 2.4.0.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated as new information about it and related security coverage becomes available.
9/5/2025: A log-based analytic to detect CVE-2025-53690 was released for Analytics.
10/1/2025: Indicator of Compromise detection was released for Tripwire Enterprise.
