Cybercriminals are actively exploiting a zero-day vulnerability in older Sitecore systems to install WeepSteel malware, a reconnaissance backdoor. This security issue, identified as CVE-2025-53690, is not a flaw in the ASP.NET framework itself but arises from a misconfiguration where default machine keys from pre-2017 documentation were reused in production environments. By exploiting this, attackers can craft malicious payloads that grant them remote code execution.
The attackers specifically target an unauthenticated endpoint, allowing them to execute code and deploy WeepSteel. This malware gathers extensive system information and disguises its data exfiltration within normal-looking network traffic. In later attack stages, additional tools like Earthworm and Dwagent are installed to establish persistence, tunnel traffic, and steal data.
The threat actors further consolidate their access by creating new administrator accounts, dumping credentials, and ensuring continued remote access. Sitecore has issued guidance urging administrators to replace static machine keys with unique, encrypted values and to implement regular key rotation to prevent such breaches.
Read more...