CVE-2025-53690

Published: Sep 3, 2025Modified: Oct 30, 2025CISA KEV

9.0

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 6.0

Source: 9947ef80-c5d5-474a-bbab-97341a59000e (Secondary)

Description

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

Affected (4)

Products: Sitecore: Experience Commerce, Experience Manager, Experience Platform, Managed Cloud

4 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Sitecore Experience Commerce	Up to 9.0
Sitecore Experience Manager	Up to 9.0
Sitecore Experience Platform	Up to 9.0
Sitecore Managed Cloud	All versions

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (3)

https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability

Source: 9947ef80-c5d5-474a-bbab-97341a59000e

ExploitThird Party Advisory

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865

Source: 9947ef80-c5d5-474a-bbab-97341a59000e

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.