The Record

CISA orders federal agencies to patch Sitecore zero-day following hacking reports

Federal civilian agencies have until September 25 to patch a vulnerability in popular content management system Sitecore after incident responders said they disrupted a recent attack involving the bug ...
heise online

Sitecore: Attackers can inject malicious code – without logging in

The CMS Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP), which are available as cloud and on-premises solutions, are affected by a critical vulnerability. Attackers can inject ...
CSOonline

Sitecore zero-day configuration flaw under active exploitation

Attackers are leveraging a sample machine key in Sitecore products for initial access before ViewState code injections lead to escalated privileges and lateral movement across the network. A sample ...
theregister

Attackers snooping around Sitecore, dropping malware via public sample keys

Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected ...
TechRadar

Top CMS Sitecore patches critical zero-day flaw being hit by hackers

Sitecore patched a critical zero-day deserialization flaw affecting legacy deployments Threat actors exploited the vulnerability to deploy malware like WeepSteel Mandiant intervened mid-attack, ...
The Hacker News

CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active ...