CVE-2025-53690CRITICAL 9.0CISA KEVEPSS p97.7%

CVE-2025-53690Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability

Sitecore / Multiple Products

Description

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS26.31% probability of exploitation · percentile 97.7% · 2026-06-18T12:00:27Z
Published2025-09-03
Last modified2025-10-30

CISA KEV entry

Added to KEV: 2025-09-04

Underlying weaknesses· 1

CWE-502

References

  1. https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
  2. https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
  3. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

(incoming)1

TypeTargetConfidenceTier
KEVEntrySitecore Multiple Products Deserialization of Untrusted Data Vulnerabilitykev-cve-2025-536900%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-53691
CVE
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE
Sitecore XP Remote Command Execution Vulnerability
CVE
CVE-2025-53693
CVE
Kentico Xperience Deserialization of Untrusted Data Vulnerability
CVE
Microsoft SharePoint Deserialization Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.