CISA orders federal agencies to patch Sitecore zeroday following hacking reports The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstatepp Influence Operations ppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp Federal civilian agencies have until September 25 to patch a vulnerability in popular content management system Sitecore after incident responders said they disrupted a recent attack involving the bug  pp Sitecore published a bulletin on Wednesday about CVE202553690 which affects several of the companys products A key issue with the bug is the use of a sample machine key that was included in Sitecore deployment guides from 2017 and earlier Many customers simply used the sample machine key and never rotated it to something new  pp Mandiant said it recently stopped an attack where hackers leveraged the exposed sample machine key to gain access pp Sitecore confirmed that its updated deployments now automatically generate a unique machine key and that all affected customers have been notified The company did not respond to requests for comment pp After the notices from Sitecore and Mandiant on Wednesday the Cybersecurity and Infrastructure Security Agency CISA added the vulnerability to its exploited bugs catalog giving all federal civilian agencies three weeks to patch it  pp Sitecore urged customers who used the sample key to examine their environment for suspicious behavior rotate the machine keys ensure sensitive information is encrypted restrict some file access to administrators only and implement the practice of rotating static machine keys pp In the incident it disrupted Mandiant noted that the unidentified threat actors deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation pp The hacker exploited the vulnerability on an internetfacing Sitecore instance before using a strain of reconnaissance malware called WEEPSTEEL The hacker then tried to gain access to sensitive files and create administrator accounts pp Sitecore noted in its advisory that both Microsoft and Mandiant are offering guidance to those affected Microsoft previously published its own notice in February about a limited campaign it witnessed last year involving the use of static machine keys during attacks  pp In the course of investigating remediating and building protections against this activity we observed an insecure practice whereby developers have incorporated various publicly disclosed ASPNET machine keys from publicly accessible resources such as code documentation and repositories which threat actors have used to perform malicious actions on target servers Microsoft said  pp Microsoft has since identified over 3000 publicly disclosed keys that could be used for these types of attacks which are called ViewState code injection attacks Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification ppJonathan Greigppis a Breaking News Reporter at Recorded Future News Jonathan has worked across the globe as a journalist since 2014 Before moving back to New York City he worked for news outlets in South Africa Jordan and Cambodia He previously covered cybersecurity at ZDNet and TechRepublicppPrivacyppAboutppContact Uspp Copyright 2025 The Record from Recorded Future Newsp