Introduction
Remote code execution through a single HTTP request has been observed in real-world attacks against enterprise content management systems. Sitecore Experience Manager (XM) and Experience Platform (XP) are widely deployed in large organizations for digital experience management and content delivery. A critical vulnerability in these platforms, CVE-2025-53690, enables attackers to inject and execute arbitrary code by exploiting insecure deserialization of untrusted data.
About Sitecore: Sitecore is a major enterprise digital experience and content management platform, used by thousands of organizations globally across finance, healthcare, government, and retail. Its .NET-based architecture and extensive feature set make it a cornerstone for digital transformation in large enterprises. Sitecore's ecosystem includes multiple products and integrations, making its security posture highly relevant to the broader tech industry.
Technical Information
CVE-2025-53690 is a deserialization of untrusted data vulnerability classified under CWE-502. The issue affects Sitecore Experience Manager (XM) and Experience Platform (XP) through version 9.0. The vulnerability occurs when Sitecore processes serialized .NET objects from untrusted sources without adequate validation or sanitization. Attackers can craft malicious serialized payloads, often using tools like ysoserial.net
, and deliver them via HTTP requests to endpoints that accept serialized data.
When the Sitecore application deserializes these objects, attacker-controlled code can be executed within the context of the application pool identity. This can result in full remote code execution, persistent backdoors, and lateral movement within the enterprise network. Similar vulnerabilities in Sitecore have previously targeted HTTP headers or parameters that accept serialized objects, such as the ThumbnailsAccessToken
header (see CVE-2025-27218).
The exploitation process typically involves:
- Reconnaissance to identify Sitecore installations and vulnerable endpoints
- Crafting malicious serialized .NET objects with embedded payloads
- Delivering the payload via HTTP to the vulnerable endpoint
- Triggering deserialization and code execution on the target system
No public vulnerable code snippets are available for this CVE. Exploit details are consistent with previous Sitecore deserialization flaws.
Affected Systems and Versions
- Sitecore Experience Manager (XM): through 9.0
- Sitecore Experience Platform (XP): through 9.0
All configurations of these versions are vulnerable if they process serialized data from untrusted sources.
Vendor Security History
Sitecore has experienced multiple critical deserialization vulnerabilities in recent years, including:
- CVE-2025-27218: Deserialization flaw in Sitecore 10.4
- CVE-2019-9874 and CVE-2019-9875: Added to CISA's Known Exploited Vulnerabilities catalog
- Additional 2025 vulnerabilities: CVE-2025-53691, CVE-2025-53693, CVE-2025-53694
Patch response times have varied, with some issues addressed quickly and others requiring multiple updates. The recurrence of deserialization flaws indicates ongoing challenges in secure input handling and serialization practices.