CVE-2025-53690

CRITICAL CISA KEV EPSS 97.7%

Published Sep 3, 20259mo ago · Modified Jun 17, 20261w ago

9.0 CVSS 3.1

Critical

Find Similar

Published Sep 3, 2025 9mo ago

Last Modified Jun 17, 2026 1w ago

KEV Listed Sep 4, 2025 9mo ago

KEV Due Sep 25, 2025 278d overdue

Description

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

CVSS Details

Base Score

9.0

Exploitability

2.2

Impact

6.0

Vector string

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector Network

Attack Complexity High

Privileges Required None

User Interaction None

Scope Changed

Confidentiality High

Integrity High

Availability High

Threat Intelligence

CISA Known Exploited Overdue 278d

Added: Sep 4, 2025
Due: Sep 25, 2025

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability

97.7% percentile

Exploit & Patch Status

Actively Exploited (KEV)

No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 4

Vendor	Product	Version	Range
sitecore	experience_commerce	*	≤9.0
sitecore	experience_manager	*	≤9.0
sitecore	experience_platform	*	≤9.0
sitecore	managed_cloud	*	any

References 3

cloud.google.com https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability

ExploitThird Party Advisory
support.sitecore.com https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865

Vendor Advisory
cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690

US Government Resource

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.