Vulnerability Details CVE-2025-53690
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.135
EPSS Ranking 94.0%
CVSS Severity
CVSS v3 Score 9.0
Proposed Action
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.
Ransomware Campaign
Unknown
References
Products affected by CVE-2025-53690
-
cpe:2.3:a:sitecore:experience_commerce:8.0
-
cpe:2.3:a:sitecore:experience_commerce:9.0
-
cpe:2.3:a:sitecore:experience_manager:8.0
-
cpe:2.3:a:sitecore:experience_manager:9.0
-
cpe:2.3:a:sitecore:experience_platform:7.5
-
cpe:2.3:a:sitecore:experience_platform:8.0
-
cpe:2.3:a:sitecore:experience_platform:8.1
-
cpe:2.3:a:sitecore:experience_platform:8.2
-
cpe:2.3:a:sitecore:experience_platform:9.0
-
cpe:2.3:a:sitecore:managed_cloud:-