Cyber Posture

CVE-2025-53690

CriticalCISA KEVActive ExploitationPublic PoCRCE

Published: 03 September 2025

Published
03 September 2025
Modified
30 October 2025
KEV Added
04 September 2025
Patch
CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0684 91.4th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53690 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sitecore Experience Commerce. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 8 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely patching of the deserialization flaw as per Sitecore KB1003865 and CISA KEV directly eliminates the vulnerability enabling code injection.

SI-10 Information Input Validation good match
prevent

Validates untrusted data inputs prior to deserialization to block malicious payloads that lead to remote code execution.

SI-16 Memory Protection partial match
prevent

Implements memory protections such as DEP and ASLR to mitigate unauthorized code execution resulting from successful deserialization exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1027.009 Embedded Payloads Stealth
Adversaries may embed payloads within other files to conceal malicious content from defenses.
attack.mitre.org →
T1027.006 HTML Smuggling Stealth
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
attack.mitre.org →
T1041 Exfiltration Over C2 Channel Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
attack.mitre.org →
T1057 Process Discovery Discovery
Adversaries may attempt to get information about running processes on a system.
attack.mitre.org →
T1074.001 Local Data Staging Collection
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Deserialization vulnerability enables unauthenticated RCE on public-facing Sitecore via crafted ViewState (T1190), with embedded payloads (T1027.009), reconnaissance (T1082, T1083, T1016, T1057), HTML smuggling and exfiltration over C2 (T1027.006, T1041), and local data staging (T1074.001) as observed in exploitation.

NVD Description

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

Deeper analysisAI

CVE-2025-53690 is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting Sitecore Experience Manager (XM) through version 9.0 and Sitecore Experience Platform (XP) through version 9.0. Published on 2025-09-03, it enables code injection and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact network-based attacks with scope change.

The vulnerability can be exploited by unauthenticated attackers (PR:N) over the network (AV:N) without requiring user interaction (UI:N), though it demands high attack complexity (AC:H). Successful exploitation allows attackers to achieve high levels of confidentiality, integrity, and availability impact (C:H/I:H/A:H) in a changed scope (S:C), typically resulting in remote code execution through injected code.

Advisories provide mitigation details, including Sitecore's knowledge base article KB1003865, a Google Cloud threat intelligence blog detailing the ViewState deserialization zero-day vulnerability, and CISA's Known Exploited Vulnerabilities catalog entry for CVE-2025-53690.

The CISA KEV listing confirms real-world exploitation, urging immediate patching by federal agencies and critical infrastructure operators.

Details

CWE(s)
CWE-502
KEV Date Added
04 September 2025

Affected Products

sitecore
experience commerce
≤ 9.0
sitecore
experience manager
≤ 9.0
sitecore
experience platform
≤ 9.0
sitecore
managed cloud
all versions

CVEs Like This One

CVE-2025-53691Same product: Sitecore Experience Commerce
CVE-2025-53693Same product: Sitecore Experience Commerce
CVE-2025-59287Shared CWE-502both on KEV
CVE-2025-55182Shared CWE-502both on KEV
CVE-2025-53770Shared CWE-502both on KEV
CVE-2025-26399Shared CWE-502both on KEV
CVE-2025-0994Shared CWE-502both on KEV
CVE-2025-40551Shared CWE-502both on KEV
CVE-2026-20963Shared CWE-502both on KEV
CVE-2026-20131Shared CWE-502both on KEV

References