Situations of Sitecore Expertise Supervisor (XM), Expertise Platform (XP), and Expertise Commerce (XC) deployed in a multi-instance mode with customer-managed static machine keys utilizing the leaked pattern key are impacted by this vulnerability, tracked as CVE-2025-53690. Situations of Sitecore Managed Cloud Normal with Containers deployed in a multi-instance mode may be impacted, in accordance the Sitecore advisory.
A ViewState code injection assault
Within the ASP.NET programming language, ViewState is a technique for preserving the state of net pages throughout net type posts. This data is saved in a hidden HTML area named __VIEWSTATE and may be signed and encrypted with keys, referred to as ValidationKey and DecryptionKey, saved within the utility configuration file.
If these keys are stolen or leaked, attackers can use them to craft malicious ViewState payloads inside POST requests that the server will then decrypt, validate, and execute by loading them into the reminiscence of its employee course of.
