Vulnerability Description
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sitecore | Experience Commerce | <= 9.0 |
| Sitecore | Experience Manager | <= 9.0 |
| Sitecore | Experience Platform | <= 9.0 |
| Sitecore | Managed Cloud | - |
Related Weaknesses (CWE)
References
- https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserializatiExploitThird Party Advisory
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865Vendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-US Government Resource
FAQ
What is CVE-2025-53690?
CVE-2025-53690 is a vulnerability with a CVSS score of 9.0 (CRITICAL). Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Ex...
How severe is CVE-2025-53690?
CVE-2025-53690 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-53690?
Check the references section above for vendor advisories and patch information. Affected products include: Sitecore Experience Commerce, Sitecore Experience Manager, Sitecore Experience Platform, Sitecore Managed Cloud.