CVE-2025-53690 Sitecore Products ViewState Deserialization Vulnerability

🗓️ 03 Sep 2025 20:04:48Reported by WizType

Deserialization of untrusted data in Sitecore XM and XP allows code injection via ViewState.

Reporter	Title	Published	Views	Family All 20
GithubExploit	Exploit for Deserialization of Untrusted Data in Sitecore Experience_Commerce	5 Nov 202506:50	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Sitecore Experience_Commerce	4 Sep 202519:53	–	githubexploit
Circl	CVE-2025-53690	3 Sep 202519:30	–	circl
CISA KEV Catalog	Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability	4 Sep 202500:00	–	cisa_kev
CISA	CISA Adds Three Known Exploited Vulnerabilities to Catalog	4 Sep 202512:00	–	cisa
CNNVD	Sitecore Experience Manager 安全漏洞	3 Sep 202500:00	–	cnnvd
CVE	CVE-2025-53690	3 Sep 202520:04	–	cve
EUVD	EUVD-2025-26629	3 Sep 202520:04	–	euvd
HackRead	Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware	8 Sep 202515:48	–	hackread
NVD	CVE-2025-53690	3 Sep 202520:15	–	nvd

[
  {
    "defaultStatus": "unaffected",
    "product": "Experience Manager (XM)",
    "vendor": "Sitecore",
    "versions": [
      {
        "lessThanOrEqual": "9.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Experience Platform (XP)",
    "vendor": "Sitecore",
    "versions": [
      {
        "lessThanOrEqual": "9.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
cloud	www.cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
support	www.support.sitecore.com/kb

03 Sep 2025 20:04Current

CVSS 3.19

EPSS0.05153

CWE-502