CVE-2025-53690

CRITICAL KEV

Sitecore XM/X <9.0 - Code Injection

Title source: llm

Description

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

Exploits (3)

github WORKING POC 8 stars

by ErikLearningSec · c#remote

https://github.com/ErikLearningSec/CVE-2025-53690-POC

View Code ZIP pw:eip

nomisec SCANNER 5 stars

by rxerium · poc

https://github.com/rxerium/CVE-2025-53690

View Code ZIP pw:eip

nomisec WRITEUP 3 stars

by m0d0ri205 · poc

https://github.com/m0d0ri205/CVE-2025-53690-Analysis

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability

[Vendor Advisory] https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690

Scores

CVSS v3 9.0

EPSS 0.0854

EPSS Percentile 92.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CISA KEV 2025-09-04

VulnCheck KEV 2025-09-03

ENISA EUVD EUVD-2025-26629

CWE

CWE-502

Status published

Products (4)

sitecore/experience_commerce < 9.0

sitecore/experience_manager < 9.0

sitecore/experience_platform < 9.0

sitecore/managed_cloud

Published Sep 03, 2025

KEV Added Sep 04, 2025

Tracked Since Feb 18, 2026