ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)

Mandiant observed a threat actor exploiting a Sitecore Content Delivery instance via repeated HTTP POSTs to a blocked.aspx endpoint, achieving NETWORK SERVICE (w3wp.exe) privileges, archiving and exfiltrating the web root (including web.config), and performing host and network reconnaissance (processes, services, accounts, TCP/IP, active connections) to enable further post-exploitation activity.