CVE-2025-53690

Sitecore Products ViewState Deserialization Vulnerability

CVSS 9 CRITICALEPSS 26.3%● KEVCWE-502

In short

Sitecore products improperly deserialize untrusted data in ViewState, allowing attackers to inject and execute arbitrary code on the server. This affects Sitecore Experience Manager and Experience Platform versions up to 9.0.

Technical detail

A deserialization vulnerability in ViewState handling permits code injection via untrusted data. Attackers can craft malicious serialized objects that execute arbitrary code when deserialized by the application, affecting Sitecore XM and XP up to version 9.0 with no authentication requirement for exploitation.

Summary generated and translated by AI from the official description.

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

Sitecore · Experience Manager (XM)Sitecore · Experience Platform (XP)

public PoCs found — 3

githubgithub.com/ErikLearningSec/CVE-2025-53690-POC★ 8 githubgithub.com/rxerium/CVE-2025-53690★ 5 githubgithub.com/m0d0ri205/CVE-2025-53690-Analysis★ 3

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690