Executive Summary
A sophisticated China-linked threat actor, identified as UAT-8837, has been observed exploiting a critical zero-day vulnerability in the Sitecore platform. Tracked as CVE-2025-53690, this insecure deserialization flaw allows attackers to bypass authentication and execute remote code (RCE). The primary goal of this campaign is the deployment of the WeepSteel backdoor to facilitate long-term espionage and data exfiltration.
With a CVSS score of 9.0, the vulnerability stems from the use of default or sample ASP.NET machineKey values in Sitecore installations. Due to active exploitation in the wild, CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
Background on UAT-8837
UAT-8837 is a China-linked advanced persistent threat (APT) group known for targeting high-value enterprise and government sectors. This actor focuses on exploiting public-facing applications to gain a foothold in corporate networks. Unlike financially motivated groups, UAT-8837 prioritizes stealthy reconnaissance and persistent access.
The group’s signature tool in this campaign is WeepSteel. This reconnaissance-focused backdoor is designed for:
- Data Collection: Gathering system configurations and network topology.
- Persistence: Establishing long-term access through custom DLLs.
- Lateral Movement: Staging third-party tools like DWAgent for remote control and Earthworm for network tunneling.
Vulnerability Details: CVE-2025-53690
The vulnerability lies in how Sitecore handles ASP.NET ViewState. If a server uses a publicly known or sample machineKey, an attacker can sign a malicious payload that the server trusts as legitimate.
| Feature | Details |
| CVE-ID | CVE-2025-53690 |
| CVSS Score | 9.0 (Critical) |
| EPSS Score | 13.94% |
| Vulnerability Type | Insecure Deserialization (CWE-502) |
| Affected Versions | Sitecore Experience Manager/Platform/Commerce/Cloud up to 9.0 |
| Root Cause | Hardcoded/Sample ASP.NET machineKey values |
| Fix Status | Patch available (Unique machineKey generation required) |
Infection Method
The attack chain employed by UAT-8837 is highly automated and follows a structured path:
- Initial Access: Attackers target Sitecore endpoints (such as /sitecore/blocked.aspx) with a specially crafted ViewState payload.
- Exploitation: Because the server utilizes a default machineKey, it validates the malicious signature. This triggers a deserialization flaw, leading to RCE under the IIS NETWORK SERVICE account.
- Deployment: The WeepSteel backdoor (Information.dll) is dropped into the environment to begin system discovery.
- Privilege Escalation: UAT-8837 creates new administrative accounts, typically named asp$ or sawadmin, to maintain control.
- Persistence & Tunneling: The actors install DWAgent as a SYSTEM service and use Earthworm to bypass firewall restrictions.
- Exfiltration: Sensitive files, including web.config and registry hives, are compressed using 7-Zip and then exfiltrated to the attacker’s controlled infrastructure.
MITRE ATT&CK Techniques
| Technique ID | Name | Description |
| T1190 | Exploit Public-Facing Application | Exploiting the Sitecore ViewState vulnerability. |
| T1203 | Insecure Deserialization | Using a malicious ViewState to trigger arbitrary code. |
| T1003 | OS Credential Dumping | Extracting SAM and SYSTEM hives for passwords. |
| T1547 | Boot or Logon Autostart | Registering DWAgent as a persistent system service. |
| T1021 | Remote Services | Using RDP via unauthorized accounts (asp$). |
Visual: UAT-8837 Attack Flow
[Target Identification] -> Scanning for Sitecore instances with default machineKeys.
[Exploitation] -> Sending crafted ViewState to /sitecore/blocked.aspx.
[Backdoor Delivery] -> WeepSteel (Information.dll) is executed in memory.
[Account Creation] -> Local Admin accounts asp$ and sawadmin created.
[Tool Staging] -> DWAgent, Earthworm, and 7-Zip deployed.
[Exfiltration] -> Stolen registry hives and configs sent to C2.
Indicators of Compromise (IOCs)
Organizations should monitor their environments for the following artifacts:
- Unauthorized Accounts: Look for local admins named asp$ or sawadmin.
- Suspicious Processes: Presence of dwagent.exe, ew.exe (Earthworm), or unexpected 7z.exe activity.
- File Artifacts: Information.dll or other unsigned DLLs in Sitecore web directories.
- Registry Activity: Unexpected exports of HKEY_LOCAL_MACHINE\SAM or SYSTEM.
- Network Traffic: Unusual outbound connections to unknown IPs from the Sitecore web server.
Mitigation Steps
- Update machineKey: Immediately replace any default or sample <machineKey> values in your web.config with unique, cryptographically strong keys.
- Upgrade Sitecore: Transition to Sitecore versions beyond 9.0 and apply all security hardening guides (KB1003865).
- Account Auditing: Scan for and delete the asp$ and sawadmin accounts if they appear in your local users list.
- Endpoint Protection: Implement EDR policies to block the execution of unauthorized tunneling tools like Earthworm and DWAgent.
- Restrict RDP: Limit RDP access to known management workstations and use Multi-Factor Authentication (MFA).
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.