Скачать или смотреть Legacy Sitecore Flaw Exploited to Deploy WeepSteel Backdoor

…
Attackers are exploiting a critical misconfiguration flaw in Sitecore’s web CMS (CVE-2025-53690) that allows remote code execution by abusing a sample ASP.NET machine key included in old deployment guides.

Using a ViewState deserialization attack on an exposed page, the adversaries gain initial access and deploy a custom backdoor called WeepSteel for internal reconnaissance. They archived the Sitecore web root to steal configuration files and deployed additional tools (e.g., EarthWorm tunneler, DWagent remote access) to expand footholds and maintain persistence by creating new local admin accounts.

The campaign was quickly detected and disrupted by researchers, but it highlights the danger of default credentials and keys. Sitecore has alerted customers and recommends immediately replacing any static machine keys with unique, securely generated keys and encrypting them in configuration files to prevent such attacks.

For affected organizations, this incident emphasizes the importance of thorough security reviews of legacy installations and the removal of any default or sample credentials.


RECOMMENDATIONS:

1. Administrators who might be affected should promptly generate and implement unique, cryptographically strong machineKey values for each Sitecore instance, encrypt them in web.config, and establish a quarterly rotation process.

2. Organizations should regularly rotate static machine keys as a continuous security practice.


Also in today's cybersecurity news…


Bridgestone Americas is investigating a limited cyber incident that disrupted operations at facilities in South Carolina and Quebec. The company has confirmed early containment and found no evidence of customer data or interface compromise.

Its focus is on maintaining business continuity and supply chain stability to prevent tire shortages while ongoing forensic analysis continues. The nature of the intrusion, including whether ransomware was involved, remains unconfirmed.

Jaguar Land Rover faces a more severe impact, with production halted at Halewood, Solihull, and Wolverhampton after key IT systems were proactively taken offline. JLR’s dealer, parts, and repair networks worldwide have been disrupted, causing delays in sales and repairs during a crucial UK registration period.

A group calling itself “Scattered Lapsus$ Hunters” claims to have gained access and has released internal screenshots. However, customer data exposure has not been confirmed.

…

Visit our blog for more daily Intel ➜ https://cyderes.com/blog

See our newsletter for deeper monthly insights ➜ https://cyderes.com/newsletter

Catch our podcast for brief cyber updates ➜    / @beeverydayready  

Follow our story ➜   / cyderes  

…

#beeverydayready #cybersecurity #cyderes