A zero-day vulnerability (CVE-2025-53690) in Sitecore’s Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) was exploited by threat actors using a leaked sample ASP.NET machine key. Attackers leveraged ViewState deserialization to achieve remote code execution on exposed on-premises deployments. Post-exploitation, they deployed malware (including DWAGENT RAT), exfiltrated sensitive Sitecore configurations, stole credentials and tokens, performed Active Directory reconnaissance, and escalated privileges to domain administrator level. The attack targeted multi-instance environments with customer-managed static keys, risking lateral movement across networks. While Mandiant disrupted the attack before full execution, the breach exposed backend dependencies, user data, and network architectures, enabling potential follow-on attacks like data theft, ransomware, or system takeover. Sitecore confirmed affected customers were notified, but unpatched systems remain at risk of full infrastructure compromise and operational disruption if exploited further.