Exploitation Wave
Security Patch Release
Vulnerability
Sitecore ViewState exploitation and ScreenConnect machine-key hardening
Updated 18.03.2026 20:10
Case score 57
Score breakdown
- Total
- 57
- Lead score
- 57
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 2
Top contributors
- Exploitation Wave Core Sitecore exploitation wave with active use of exposed ASP.NET machine keys and follow-on intrusion activity. base
- Vulnerability ScreenConnect CVE-2026-3564 shows a related machine-key verification risk, but active exploitation is not confirmed. context
- Security Patch Release ScreenConnect 26.1 hardens machine-key handling and gives defender context for the same exposure class. context
Case score 57
Members 3
Latest activity 18.03.2026 20:10
Active exploitation
Patch available
CVSS: 9.0 Critical
Active exploitation
Patch available
CVSS: 9.0 Critical
Members 3
First seen 05.09.2025 01:05
Last seen 18.03.2026 20:10
Updated 18.03.2026 20:10
Overview
Attackers are exploiting **Sitecore CVE-2025-53690** by abusing exposed **ASP.NET machine keys** to get remote code execution on internet-facing deployments. Mandiant reported follow-on use of **WEEPSTEEL**, privilege escalation, persistence, reconnaissance, and lateral movement, and CISA told **FCEB agencies** to update Sitecore by **September 25, 2025**.
ConnectWise later disclosed **CVE-2026-3564** in **ScreenConnect**, another machine-key handling flaw that can enable unauthorized authentication and privilege escalation, and shipped **ScreenConnect 26.1** with stronger key protection. Available evidence does not show active exploitation of that ScreenConnect flaw, and the number of affected Sitecore organizations remains unquantified.
Attackers are exploiting **Sitecore CVE-2025-53690** by abusing exposed **ASP.NET machine keys** to reach remote code execution on internet-facing Sitecore deployments. CISA told **FCEB agencies** to update Sitecore by **September 25, 2025** after the flaw was found under active exploitation. Mandiant said the attackers used a sample machine key that appeared in Sitecore deployment guides from **2017 and earlier**, which points to reused or copied key material as the enabling condition.
After initial access, the activity moved into deeper compromise with **WEEPSTEEL** collection, privilege escalation, persistence, internal reconnaissance, and use of **EarthWorm**, **DWAgent**, **SharpHound**, **GoTokenTheft**, and **RDP** for tunneling, remote access, directory mapping, token abuse, and lateral movement. ConnectWise later disclosed **CVE-2026-3564** in **ScreenConnect**, a cryptographic signature-verification flaw tied to ASP.NET machine keys that can enable unauthorized session authentication, access, and privilege escalation. **ScreenConnect 26.1** strengthens machine-key handling with encrypted storage, and cloud customers were moved automatically while on-premises administrators were told to upgrade as soon as possible. ConnectWise said it had no evidence of active exploitation in its hosted service and no confirmed IOCs to share.