CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-53690

CVSS 9.0v3.1pub. 2025-09-03upd. 2025-10-30

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Sitecore Experience Commerce

    APP
    Sitecore
    ≤ 9.0
  • Sitecore Experience Manager

    APP
    Sitecore
    ≤ 9.0
  • Sitecore Experience Platform

    APP
    Sitecore
    ≤ 9.0
  • Sitecore Managed Cloud

    APP
    Sitecore
    wszystkie wersje

CISA KEV — detailsi

Vendori
Sitecore
Producti
Multiple Products
Added to KEVi
September 4, 2025
Remediation deadline (US Federal)i
September 25, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 25 września 2025
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2021-42237CRITICAL9.8⚠ KEVten sam produkt

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attac...

CVE-2019-9874CRITICAL9.8⚠ KEVten sam produkt

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0...

CVE-2025-53693CRITICAL9.8PL ✓ten sam produkt

Unsafe Reflection umożliwiający Cache Poisoning w Sitecore XM/XP

CVE-2023-35813CRITICAL9.8ten sam produkt

Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, ...

CVE-2023-27068CRITICAL9.8ten sam produkt

Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run ...