CVE-2025-53690 - Vulnerability Details - OpenCVE

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

No data.

References

Link	Providers
https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865

History

Thu, 04 Sep 2025 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 03 Sep 2025 20:15:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Title		Sitecore Products ViewState Deserialization Vulnerability
Weaknesses		CWE-502
References		https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
Metrics		cvssV3_1 `{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Wiz

Published: 2025-09-03T20:04:48.223Z

Updated: 2025-09-04T03:55:53.472Z

Reserved: 2025-07-08T14:21:02.028Z

Link: CVE-2025-53690

Vulnrichment

Updated: 2025-09-03T20:14:09.184Z

NVD

Status : Received

Published: 2025-09-03T20:15:33.473

Modified: 2025-09-03T20:15:33.473

Link: CVE-2025-53690

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53690", "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e", "state": "PUBLISHED", "assignerShortName": "Wiz", "dateReserved": "2025-07-08T14:21:02.028Z", "datePublished": "2025-09-03T20:04:48.223Z", "dateUpdated": "2025-09-04T03:55:53.472Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Experience Manager (XM)", "vendor": "Sitecore", "versions": [{"lessThanOrEqual": "9.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Experience Platform (XP)", "vendor": "Sitecore", "versions": [{"lessThanOrEqual": "9.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(254, 254, 254);\">Customers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable.</span><br>"}], "value": "Customers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable."}], "credits": [{"lang": "en", "type": "finder", "value": "Mandiant Threat Defense"}], "datePublic": "2025-09-03T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.<p>This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9947ef80-c5d5-474a-bbab-97341a59000e", "shortName": "Wiz", "dateUpdated": "2025-09-03T20:04:48.223Z"}, "references": [{"url": "https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability"}, {"url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865"}], "source": {"discovery": "USER"}, "title": "Sitecore Products ViewState Deserialization Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-53690"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T03:55:53.472Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-03T20:14:04.972894Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T20:14:09.184Z"}}], "cna": {"title": "Sitecore Products ViewState Deserialization Vulnerability", "source": {"discovery": "USER"}, "credits": [{"lang": "en", "type": "finder", "value": "Mandiant Threat Defense"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sitecore", "product": "Experience Manager (XM)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.0"}], "defaultStatus": "unaffected"}, {"vendor": "Sitecore", "product": "Experience Platform (XP)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.0"}], "defaultStatus": "unaffected"}], "datePublic": "2025-09-03T18:00:00.000Z", "references": [{"url": "https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability"}, {"url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.<p>This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "configurations": [{"lang": "en", "value": "Customers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(254, 254, 254);\">Customers who followed the deployment instructions provided with XP 9.0 or earlier and Active Directory 1.4 or earlier and used the sample machine key (for example, machine key: BDDFE367CD..., validation key: 0DAC68D020...) are vulnerable.</span><br>", "base64": false}]}], "providerMetadata": {"orgId": "9947ef80-c5d5-474a-bbab-97341a59000e", "shortName": "Wiz", "dateUpdated": "2025-09-03T20:04:48.223Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53690", "state": "PUBLISHED", "dateUpdated": "2025-09-04T03:55:53.472Z", "dateReserved": "2025-07-08T14:21:02.028Z", "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e", "datePublished": "2025-09-03T20:04:48.223Z", "assignerShortName": "Wiz"}, "dataVersion": "5.1"}