Sitecore ViewState Deserialization Vulnerability Allowing Code Injection

A deserialization vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) versions through 9.0 has been identified. This vulnerability allows for code injection via compromised ASP.NET ViewState machine keys, which were exposed in Sitecore deployment guides. The issue arises because the application fails to properly validate ViewState data, enabling attackers to inject malicious payloads that are accepted by the server.

Impact

Exploitation of this vulnerability leads to remote code execution on the affected server.

Reproduction

The vulnerability can be reproduced by deploying a vulnerable version of Sitecore XP or XM with the default machine keys exposed in the Sitecore deployment guides. Once this configuration is in place, an HTTP POST request can be sent to the 'blocked.aspx' endpoint with a crafted ViewState payload that exploits the deserialization flaw. The server's response will indicate a successful exploitation.

Remediation

Sitecore customers should rotate their machine keys, ensure that any machine key elements in the web.config file are encrypted, and restrict access to the web.config file. For detailed instructions, refer to the Sitecore advisory SC2025-005.