What happened
China-linked threat actors exploited a Sitecore zero-day for enterprise network access in attacks observed in 2025–2026. The attackers targeted Sitecore Experience Platform using CVE-2025-53690, a ViewState deserialization flaw, to gain initial access without credentials. Cisco Talos researchers report that the threat actor, tracked as UAT-8837, used hands-on-keyboard techniques and living-off-the-land tools, including GoTokenTheft, Rubeus, Certipy, SharpHound, and Earthworm, to collect Active Directory credentials, enumerate users and service accounts, and establish persistence. Mandiant researchers previously observed the zero-day in attacks deploying the reconnaissance backdoor “WeepSteel.” UAT-8837 also performed host and network reconnaissance, disabled RDP RestrictedAdmin, and exfiltrated DLLs for potential future trojanization and supply-chain attacks.
Who is affected
Organizations running internet-facing Sitecore Experience Platform deployments are directly affected. Enterprises relying on Sitecore for public-facing websites face potential indirect exposure if compromised systems allowed lateral movement or credential theft.
Why CISOs should care
Zero-day exploitation of enterprise CMS platforms bypasses traditional perimeter controls, enabling attackers to harvest credentials, map AD infrastructure, and establish persistent footholds that threaten sensitive data and long-term operational security.
3 practical actions
- Patch and mitigate immediately: Apply vendor updates and recommended mitigations for Sitecore Experience Platform.
- Restrict access to management interfaces: Limit internet-facing exposure and segment Sitecore servers from internal networks.
- Hunt for post-exploitation activity: Audit endpoints and logs for web shells, unusual command execution, and lateral movement indicators.