Security researchers from Google on Wednesday warned of a zero-day vulnerability they discovered in the SiteCore content management system platform in connection with a ViewState deserialization attack they successfully disrupted.

The attack involved leveraging exposed ASP.NET keys to perform remote code execution, according to a blog post by Google’s Mandiant Threat Defense. A sample machine key had been exposed in SiteCore deployment guides from 2017 and prior, according to the blog.

Researchers did not provide any details on the organization targeted in the attack.  

The vulnerability, tracked as CVE-2025-53690, is linked to deserialization of untrusted data in SiteCore Experience Manager and SiteCore Experience Platform. 

SiteCore urged users to immediately update their accounts via its security patches and to take additional steps to check their environments for potential compromise, according to a bulletin released Tuesday by the company. The bulletin has since been updated.

Insecure configuration

Mandiant researchers said in their blog post that while they were not able to observe the entire attack life cycle, the attacker demonstrated “deep understanding of the compromised product.” 

The attacker behind the exploit was “using a static ASP.NET machine key” that was previously released in product documentation in order to target exposed instances of SiteCore, Caitlin Condon, VP of security research at VulnCheck told Cybersecurity Dive.

“The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure,” Condon said, “and as we’ve seen plenty of times before, threat actors definitely read documentation.”