ViewState deserialization attack wave (2025)
Exploitation Wave
Summary
Hide ▲
Show ▼
A 2025 ViewState deserialization attack wave is continuing to expose ASP.NET deployments to remote code execution when machine keys are leaked or improperly protected. The latest case is CVE-2025-53690 in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, where attackers abused an exposed ASP.NET machine key to compromise internet-facing servers. CISA has told FCEB agencies to update Sitecore by September 25, 2025 as Mandiant reported active exploitation, deployment of WEEPSTEEL, and follow-on use of tools such as EarthWorm and SharpHound for reconnaissance, persistence, lateral movement, and data theft.
Cases
Related Happenings
Microsoft out-of-band security update for ASP.NET Core Data Protection (CVE-2026-40372)
Security Patch Release
First: 22.04.2026 11:08
Last: 22.04.2026 11:08
Sources 1
About this happening:
**Microsoft** released **out-of-band security updates** for **CVE-2026-40372**, an **ASP.NET Core Data Protection** flaw that could let attackers forge authentication cookies and...
Microsoft out-of-band security update for ASP.NET Core Data Protection (CVE-2026-40372)
Security Patch ReleaseAbout this happening: **Microsoft** released **out-of-band security updates** for **CVE-2026-40372**, an **ASP.NET Core Data Protection** flaw that could let attackers forge authentication cookies and...
ASP.NET Core Data Protection privilege escalation (CVE-2026-40372)
Vulnerability
First: 22.04.2026 11:08
Last: 22.04.2026 11:08
Sources 1
About this happening:
**CVE-2026-40372** in **ASP.NET Core Data Protection** can let **unauthenticated attackers** forge authentication cookies and gain **SYSTEM privileges** on affected devices. Micro...
ASP.NET Core Data Protection privilege escalation (CVE-2026-40372)
VulnerabilityAbout this happening: **CVE-2026-40372** in **ASP.NET Core Data Protection** can let **unauthenticated attackers** forge authentication cookies and gain **SYSTEM privileges** on affected devices. Micro...
Windows zero-day exploitation wave
Exploitation Wave
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Microsoft April 2026 Patch Tuesday security update (165 CVEs)
Security Patch Release
First: 15.04.2026 00:22
Last: 15.04.2026 00:22
Sources 1
About this happening:
**Microsoft** shipped **April 2026 Patch Tuesday** updates covering **165 CVEs**, including an **actively exploited zero-day** and a **publicly disclosed** flaw, creating immediat...
Microsoft April 2026 Patch Tuesday security update (165 CVEs)
Security Patch ReleaseAbout this happening: **Microsoft** shipped **April 2026 Patch Tuesday** updates covering **165 CVEs**, including an **actively exploited zero-day** and a **publicly disclosed** flaw, creating immediat...
NetScaler ADC and NetScaler Gateway out-of-bounds read security flaw (CVE-2026-3055)
Vulnerability
First: 24.03.2026 17:15
Last: 24.03.2026 17:15
Sources 1
About this happening:
A critical **out-of-bounds read** in **NetScaler ADC** and **NetScaler Gateway** can let an **unauthenticated remote attacker** leak **sensitive memory contents** from affected ap...
NetScaler ADC and NetScaler Gateway out-of-bounds read security flaw (CVE-2026-3055)
VulnerabilityAbout this happening: A critical **out-of-bounds read** in **NetScaler ADC** and **NetScaler Gateway** can let an **unauthenticated remote attacker** leak **sensitive memory contents** from affected ap...
Timeline
-
05.09.2025 01:05 2 articles · 8mo ago
Sitecore zero-day CVE-2025-53690 is exploited through exposed ASP.NET machine keys
Exploitation ObservedA critical Sitecore zero-day tracked as CVE-2025-53690 was under active ViewState deserialization exploitation against Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce deployments, with attackers leveraging an exposed ASP.NET machine key from Sitecore deployment guides from 2017 and earlier to achieve remote code execution.
Show sources
- Sitecore Zero-Day Sparks New Round of ViewState Threats — www.darkreading.com — 05.09.2025 01:05
- CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation — thehackernews.com — 05.09.2025 19:08
-
05.09.2025 01:05 2 articles · 8mo ago
Mandiant disrupts an active ViewState deserialization attack on a Sitecore server
Technical Analysis UpdateMandiant Threat Defense said it discovered an active ViewState deserialization attack affecting Sitecore deployments that leveraged a sample machine key exposed in Sitecore deployment guides from 2017 and earlier, then initiated rapid response and successfully disrupted the attack on a Sitecore server before the full attack cycle could be observed.
Show sources
- Sitecore Zero-Day Sparks New Round of ViewState Threats — www.darkreading.com — 05.09.2025 01:05
- Sitecore Zero-Day Sparks New Round of ViewState Threats — www.darkreading.com — 05.09.2025 01:05