Today's Core Dump is brought to you by ThreatPerspective

Threat Intelligence

ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)

Description

117305c6c8222162d7246f842c4bb014

a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307

WEEPSTEEL (Information.dll)

a39696e95a34a017be1435db7ff139d5

b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b

EARTHWORM (lfe.ico, ufp.exe, ufp.ico)

f410d88429b93786b224e489c960bf5c

n/a

Helper.ico, helper.exe

<hash varies>

<hash varies>

1.vbs

be7e2c6a9a4654b51a16f8b10a2be175

n/a

main.exe

62483e732553c8ba051b792949f3c6d0

n/a

GoToken.exe

63d22ae0568b760b5e3aabb915313e44

61f897ed69646e0509f6802fb2d7c5e88c3e3b93c4ca86942e24d203aa878863

SharpHound



















Network-Based


IP
130.33.156[.]194:443
130.33.156[.]194:8080
103.235.46[.]102:80

















Detections


Google Security Operations Enterprise and Enterprise+ customers can leverage the following product threat detections and content updates to help identify and remediate threats. All detections have been automatically delivered to Google Security Operations tenants within the Mandiant Frontline Threats curated detections ruleset. To leverage these updated rules, access Content Hub and search on any of the strings above, then View and Manage each rule you wish to implement or modify.

  • Earthworm Tunneling Indicators

  • User Account Created By Web Server Process

  • Cmd Launching Process From Users Music

  • Sharphound Recon

  • User Created With No Password Expiration Execution

  • Discovery of Privileged Permission Groups by Web Server Process

YARA Rule


rule G_Recon_WEEPSTEEL_1 {     meta:      author = "Mandiant"         strings:         $v_w = "<input type=\"hidden\" name=\"__VIEWSTATE\" id=\"__VIEWSTATE\" value=" wide         $v_a = "<input type=\"hidden\" name=\"__VIEWSTATE\" id=\"__VIEWSTATE\" value="          $v_b64_w = "<input type=\"hidden\" name=\"__VIEWSTATE\" id=\"__VIEWSTATE\" value=" base64wide         $v_b64_a = "<input type=\"hidden\" name=\"__VIEWSTATE\" id=\"__VIEWSTATE\" value=" base64         $s2 = "Services\\Tcpip\\Parameters" wide         $s3 = "GetOperatingSystemInformation"         $s4 = "GetSystemInformation"         $s5 = "GetNetworkAdapterInformation"         $s6 = "GetAllNetworkInterfaces"         $s7 = "GetIPProperties"         $s8 = "GetPhysicalAddress"         $s9 = "GetDomainNameFromRegistry"         $c1 = "Aes" fullword         $c2 = "CreateEncryptor" fullword         $c3 = "System.Security.Cryptography" fullword         $c4 = "ToBase64String" fullword         $guid = "6d5a95da-0ffe-4303-bb2c-39e182335a9f"     condition:         uint16(0) == 0x5a4d and          (             (all of ($c*) and 7 of ($s*)) or             ($guid and (any of ($v*)))         )     }

Acknowledgement


We would like to extend our gratitude to the Sitecore team for their support throughout this investigation. Additionally, we are grateful to Tom Bennett and Nino Isakovic for their assistance with the payload analysis. We also appreciate the valuable input and technical review provided by Richmond Liclican and Tatsuhiko Ito.

aside_block
<ListValue: [StructValue([('title', 'Contact Mandiant'), ('body', <wagtail.rich_text.RichText object at 0x3e95329c05b0>), ('btn_text', ''), ('href', ''), ('image', None)])]>



Published: 2025-09-03T14:00:00











© Segmentation Fault . All rights reserved.

Privacy | Terms of Use | Contact Us