China-linked hackers exploited Sitecore zero-day for initial access

Published:

16 januari 2026 om 17:10:15

Alert date:

16 januari 2026 om 18:01:49

Source:

bleepingcomputer.com

Zero-Day Vulnerabilities, Web Technologies, Critical Infrastructure, Enterprise Applications

Advanced threat actor UAT-8837, believed to be linked to China, has been targeting critical infrastructure systems in North America. The group gained initial access by exploiting both known vulnerabilities and a zero-day vulnerability in Sitecore systems. This represents an active campaign against critical infrastructure with zero-day exploitation capabilities.

Technical details

UAT-8837 exploited CVE-2025-53690, a ViewState Deserialization zero-day flaw in Sitecore products for initial access. The threat actor uses compromised credentials or server vulnerabilities to gain access, then performs hands-on-keyboard operations for reconnaissance. They disable RDP RestrictedAdmin to facilitate credential harvesting, execute Windows native commands for host and network reconnaissance, target Active Directory topology and trust relationships, and cycle through open-source tools to evade detection. In at least one case, they exfiltrated a DLL for potential future trojanization and supply-chain attacks.

Mitigation steps:

Organizations should review Cisco Talos' report for indicators of compromise and examples of commands and tools used in the attack. Monitor for the specific tools mentioned including GoTokenTheft, Rubeus, Certipy, SharpHound, Impacket, Invoke-WMIExec, GoExec, SharpWMI, Earthworm, and DWAgent. Watch for Windows native commands being used for reconnaissance and credential collection activities.

Affected products:

Sitecore products