Instances of Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) deployed in a multi-instance mode with customer-managed static machine keys using the leaked sample key are impacted by this vulnerability, tracked as CVE-2025-53690. Instances of Sitecore Managed Cloud Standard with Containers deployed in a multi-instance mode could also be impacted, according the Sitecore advisory.
A ViewState code injection attack
In the ASP.NET programming language, ViewState is a method for preserving the state of web pages across web form posts. This information is stored in a hidden HTML field named __VIEWSTATE and can be signed and encrypted with keys, called ValidationKey and DecryptionKey, stored in the application configuration file.
If these keys are stolen or leaked, attackers can use them to craft malicious ViewState payloads inside POST requests that the server will then decrypt, validate, and execute by loading them into the memory of its worker process.
