You are currently viewing WeepSteel Rises: Attackers Exploit Critical Sitecore Deserialization Bug

WeepSteel Rises: Attackers Exploit Critical Sitecore Deserialization Bug

  • Post author:
  • Reading time:5 mins read

Executive Summary

A critical zero-day vulnerability in Sitecore, tracked as CVE-2025-53690, has been exploited in the wild to deploy the WeepSteel backdoor. This flaw, an insecure deserialization issue, allows attackers to craft malicious ViewState payloads using default or sample ASP.NET machineKey values. Exploitation leads to remote code execution (RCE) on vulnerable Sitecore servers, enabling credential dumping, privilege escalation, and backdoor installation. With a CVSS score of 9.0, this vulnerability has been added to CISA’s Known Exploited Vulnerabilities Catalog, requiring organizations to patch or mitigate by September 25, 2025.

Background on WeepSteel

WeepSteel is a reconnaissance-focused backdoor identified during investigations into Sitecore breaches. It is used by threat actors to gain persistence, collect sensitive system and network data, and stage additional tools for remote access and lateral movement. Unlike smash-and-grab malware, WeepSteel emphasizes stealth and persistence, making it suitable for long-term espionage operations. Reported deployments include custom DLL backdoors, DWAgent for remote control, and tunneling tools such as Earthworm.

Vulnerability Details

CVE-ID: CVE-2025-53690
CVSS Score: 9.0 (Critical)
EPSS Score: 23.38
Vulnerability Type: Insecure Deserialization (ViewState)
CWE: CWE-502 – Deserialization of Untrusted Data
Affected Software: Sitecore Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud versions up to and including 9.0
Patched in: Requires replacing the default/sample ASP.NET machineKey with unique values, upgrading beyond version 9.0, and applying Sitecore’s KB1003865 mitigation guidance
Root Cause: Sitecore installations reused public/sample ASP.NET machineKey values provided in documentation. Attackers exploit this misconfiguration to craft malicious ViewState payloads that bypass validation and trigger remote code execution without authentication.

Infection Method

The WeepSteel attack leveraging CVE-2025-53690 follows this chain:

  1. Initial Access: Attackers send malicious ViewState payloads to Sitecore endpoints (e.g., /sitecore/blocked.aspx). Because the server uses a public machineKey, the payload signature is accepted as valid.
  2. Exploitation: The crafted payload triggers ViewState deserialization, granting RCE under the IIS NETWORK SERVICE account.
  3. Payload Deployment: WeepSteel is dropped, often as DLL assemblies (Information.dll) for reconnaissance and persistence.
  4. Privilege Escalation: The attacker creates new admin accounts (asp$, sawadmin) with non-expiring passwords and attempts token impersonation.
  5. Tool Staging: Remote tools such as DWAgent (remote control), Earthworm (tunneling), and 7-Zip (archiving) are deployed.
  6. Persistence: DWAgent is registered as a SYSTEM service; new accounts are enabled for RDP.
  7. Exfiltration: Sensitive files (e.g., web.config, registry hives) and archives are staged and exfiltrated.

Malware Behavior and Capabilities

WeepSteel is designed for long-term access and stealth, with capabilities including:

  • System Reconnaissance: Executes commands like whoami, hostname, tasklist, and ipconfig /all.
  • Credential Theft: Dumps SYSTEM and SAM registry hives.
  • Privilege Escalation: Creates persistent admin accounts and performs token impersonation.
  • Lateral Movement: Enables RDP access through newly created accounts.
  • Remote Control & Tunneling: Installs DWAgent and Earthworm for remote access and network tunneling.
  • Persistence: Registers services, disables password expiration, ensures long-term foothold.
  • Data Exfiltration: Uses 7-Zip to archive sensitive data for extraction.

Techniques Include

  • T1190 – Exploit Public-Facing Application: Abuse of Sitecore endpoints to deliver malicious ViewState payloads.
  • T1203 – Exploitation for Client Execution (Insecure Deserialization): Executing arbitrary code by exploiting untrusted ViewState deserialization.
  • T1082 – System Information Discovery: Commands such as hostname and whoami to gather environment details.
  • T1046 – Network Service Scanning: Using tools like netstat to enumerate network services.
  • T1003 – OS Credential Dumping: Dumping SYSTEM and SAM registry hives for credential extraction.
  • T1021 – Remote Services: Enabling RDP access through newly created admin accounts.
  • T1547 – Boot or Logon Autostart Execution: Registering persistence via SYSTEM services (e.g., DWAgent).
  • T1053 – Scheduled Task/Job: Possible persistence by scheduling recurring execution tasks.
  • T1027 – Obfuscated Files or Information: Staging tools in public directories, disguising exfiltration.
  • T1020 – Automated Exfiltration: Using 7-Zip and other tools to archive and exfiltrate sensitive data.

Visual: WeepSteel Attack Flow

> [Crafted ViewState Payload with Known machineKey]
> [ViewState Deserialization Exploit ? Remote Code Execution]
> [WeepSteel Reconnaissance DLL Deployed]
> [Admin Accounts Created (asp$, sawadmin); Privilege Escalation]
> [DWAgent & Earthworm Installed; 7-Zip Used for Archiving]
> [Persistence Established via Services & RDP]
> [Exfiltration of Configs, Credentials, and Archives]

IOCs (Indicators of Compromise)

Registry / Credential Artifacts: SYSTEM and SAM hives dumped
Suspicious Accounts: asp$, sawadmin created as local admins
Tools Observed:

  • DWAgent (remote access)
  • Earthworm (tunneling)
  • 7-Zip (archiving/exfiltration)
    Commands Used: whoami, hostname, tasklist, ipconfig /all, netstat -ano
    File Indicators: Assemblies like Information.dll dropped to Sitecore environments

Threat Actor Attribution

While formal attribution remains unconfirmed, the observed sophistication suggests a well-resourced actor with espionage and persistence goals. The tactics – credential dumping, tunneling, persistence via RDP, and use of custom backdoors – indicate activity consistent with advanced threat groups targeting enterprise and critical infrastructure using Sitecore.

Mitigation Steps

  • Patch Software: Replace default/sample ASP.NET machineKey values, upgrade Sitecore beyond v9.0.
  • Encrypt Configurations: Secure <machineKey> entries in web.config.
  • Audit Accounts: Monitor for unauthorized account creation (e.g., asp$, sawadmin).
  • Threat Hunting: Look for SYSTEM/SAM hive dumping, ViewState anomalies, and service registration of DWAgent.
  • Network Monitoring: Detect tunneling or unusual outbound traffic from compromised Sitecore servers.
  • User Awareness & IR Readiness: Train teams on web application threats and maintain incident response plans.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.