Vulnerability Report

CVE-2025-53690

RCE CISA KEV Active

Title: Sitecore Experience Manager RCE

RCE

Proof Of Concept

PoC Available for CVE-2025-53690

CWE Category CWE-502

Published Date Sep 03, 2025

Modified Date Oct 30, 2025

Exploit Status Available

Score 9.0 CVSS v3.1

Exploit Probability (EPSS)

26.31%

Vulnerability Summary

CVE-2025-53690: Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

Impacted Vendors

adobe 1

sitecore 4

bloomreach 1

Reference Links

https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53690

CVSS v3.1

Source Entity 9947ef80-c5d5-474a-bbab-97341a59000e

Severity CRITICAL

9.0

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2025-53690 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/rxerium/CVE-2025-53690

View Code

GitHub https://github.com/ErikLearningSec/CVE-2025-53690-POC

View Code

GitHub https://github.com/m0d0ri205/CVE-2025-53690-Analysis

View Code

October 30, 2025 MODIFIED

Vulnerability data or affected products updated.

October 30, 2025 MODIFIED

Vulnerability data updated via NVD.

September 03, 2025 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity HIGH

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Stack

No specific products linked.