Sitecore actively exploited zero-day vulnerability (CVE-2025-53690)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-53690 is a critical Sitecore vulnerability under active exploitation for initial access. CISA advised FCEB agencies to update Sitecore by September 25, 2025 after the flaw was found in the wild, and Mandiant reported attackers abusing a publicly disclosed ASP.NET machine key to trigger remote code execution. The intrusion chain used WEEPSTEEL and tools including EarthWorm, DWAgent, and SharpHound to support reconnaissance, persistence, lateral movement, and data theft.
Related Happenings
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Langflow CVE-2026-33017 exploitation wave
Exploitation Wave
First: 20.03.2026 12:20
Last: 20.03.2026 12:20
Sources 1
About this happening:
**CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...
Langflow CVE-2026-33017 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...
Cloud environments third-party flaw exploitation wave
Exploitation Wave
First: 09.03.2026 23:45
Last: 09.03.2026 23:45
Sources 1
About this happening:
**Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Cloud environments third-party flaw exploitation wave
Exploitation WaveAbout this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Rising zero-day exploitation across end-user and enterprise products in 2025
Target Trend
First: 05.03.2026 17:03
Last: 05.03.2026 17:03
Sources 1
About this happening:
**Zero-day exploitation** stayed elevated in **2025**, with **90 actively exploited flaws** spread across **end-user platforms** and **enterprise products**. That matters because...
Rising zero-day exploitation across end-user and enterprise products in 2025
Target TrendAbout this happening: **Zero-day exploitation** stayed elevated in **2025**, with **90 actively exploited flaws** spread across **end-user platforms** and **enterprise products**. That matters because...
Timeline
-
16.01.2026 09:18 6 articles · 4mo ago
UAT-8837 exploitation of Sitecore CVE-2025-53690
Initial DisclosureResearchers assess UAT-8837 as a likely China-nexus APT targeting North American critical infrastructure and using the Sitecore zero-day CVE-2025-53690 for initial access. After foothold, the actor is described as conducting reconnaissance, disabling RestrictedAdmin for RDP, opening cmd.exe, and deploying GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy for credential theft, tunneling, persistence, elevated command execution, and Active Directory discovery and abuse; in one victim organization it exfiltrated DLL-based shared libraries related to the victim's products.
Show sources
- China-Linked APT Exploits Sitecore Zero-Day in Attacks on American Critical Infrastructure — thehackernews.com — 16.01.2026 09:18
- China-Linked APT Exploits Sitecore Zero-Day in Attacks on American Critical Infrastructure — thehackernews.com — 16.01.2026 09:18
- China-linked hackers exploited Sitecore zero-day for initial access — www.bleepingcomputer.com — 16.01.2026 19:10
- Hackers exploited Sitecore zero-day flaw to deploy backdoors — www.bleepingcomputer.com — 04.09.2025 21:51
- Sitecore Zero-Day Sparks New Round of ViewState Threats — www.darkreading.com — 05.09.2025 01:05
- CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation — thehackernews.com — 05.09.2025 19:08