External risk intelligence

Sitecore Products Vulnerable to Code Injection.

CVE advisoryKnown Exploit

CVE-2025-53690

Certain Sitecore products face a code injection risk due to a vulnerability in handling untrusted data. This could allow unauthorized code execution, impacting business operations.

4Halo Surface Signal

Deserialization

Sitecore Experience Commerce

9.0 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2025-53690

Sitecore Experience Platform and Experience Manager are web content management systems commonly deployed as internet-facing web applications to serve public-facing websites and digital experiences, making their interfaces reachable from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

Certain Sitecore products, including Experience Manager, Experience Platform, and Experience Commerce, are affected by a vulnerability related to the handling of untrusted data. This flaw allows for the injection of malicious code into affected systems. The potential impact could include unauthorized code execution, compromising the integrity and availability of business operations.

Vulnerable Sitecore products
Deserialization of untrusted data
Code injection and system compromise

Attack Path

How an attacker could exploit the issue

Sitecore Experience Manager and Platform are susceptible to an attack where an attacker can inject code through untrusted data deserialization. This vulnerability allows for remote code execution by exploiting default machine keys. The attack path involves an attacker gaining access to a vulnerable system, triggering a deserialization process with malicious data, and subsequently achieving control over the system.

Unprotected systems are exposed.
Attacker sends malicious data.
Code injection leads to control.

Live Threat

Current exploitation, exposure, and threat context

A deserialization of untrusted data vulnerability in Sitecore Experience Manager and Platform allows for code injection. Attackers could leverage this to execute arbitrary code, impacting system integrity and data confidentiality. This threat requires immediate attention for affected organizations.

Likely attacker skill level: Advanced
Required access or conditions: Network access
Business risk or urgency: Critical; immediate action required

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Sitecore products allows for code injection, posing a significant risk to affected organizations. The issue stems from the deserialization of untrusted data, which can be exploited by attackers to execute arbitrary code. This could lead to a complete compromise of systems, impacting data integrity, confidentiality, and availability. Understanding and addressing this vulnerability is crucial for maintaining business operations and security.

Identify all Sitecore Experience Manager, Platform, Commerce, and Managed Cloud assets.
Restrict network access to affected Sitecore systems.
Implement vendor fixes, verify, and monitor for activity.

Frequently asked questions

What are Sitecore Experience Manager and Platform used for?

Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) are used to create, manage, and deliver digital content and personalized customer experiences. They function as Content Management Systems (CMS) and Digital Experience Platforms (DXP), enabling businesses to manage websites, run marketing campaigns, and enhance customer service across various channels and devices.

What is CVE-2025-53690 and its weakness?

CVE-2025-53690 is a critical "Deserialization of Untrusted Data" vulnerability (CWE-502) affecting Sitecore Experience Manager and Platform up to version 9.0. This weakness allows attackers to inject and execute arbitrary code by exploiting insecure handling of serialized data.

How can CVE-2025-53690 be exploited?

Attackers can exploit CVE-2025-53690 by sending malicious data that triggers an insecure deserialization process. This can lead to remote code execution, potentially giving attackers control over the affected systems.

What is the relevance of CVE-2025-53690 to Sitecore products?

This vulnerability is relevant to Sitecore Experience Manager, Platform, Commerce, and Managed Cloud versions up to 9.0. Attackers can leverage it to inject code, leading to system compromise and impacting business operations.

What steps should be taken to respond to CVE-2025-53690?

Organizations should identify all affected Sitecore assets, restrict network access to these systems, and implement vendor fixes. Monitoring for suspicious activity post-remediation is also crucial.

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

blog.talosintelligence.com/uat-8837/

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.