China-linked hackers exploited a Sitecore zero-day to gain initial access into North American critical infrastructure networks.

Continue reading
A China-linked advanced threat actor, tracked as UAT-8837, has been conducting sustained cyber intrusions against critical infrastructure entities in North America. The group recently used a high-severity zero-day vulnerability in Sitecore to gain initial access into target environments, then broadened its foothold through credential harvesting, network reconnaissance, and deployment of post-exploit tools. This campaign highlights evolving tactics by sophisticated adversaries that combine zero-day exploitation with open-source operational tooling.
Cisco Talos, a major cybersecurity research unit, has published analysis showing that an advanced persistent threat (APT) actor with a suspected nexus to China has been targeting critical infrastructure sectors in North America since at least 2025. The group’s codename in Talos reporting is UAT-8837.
In a recent intrusion, UAT-8837 exploited CVE-2025-53690, a critical ViewState deserialization zero-day flaw in Sitecore products, to obtain initial access to victim systems. This vulnerability has a CVSS score around 9.0, indicating high severity.
The flaw allows an attacker to execute arbitrary code on a vulnerable server by sending specially crafted ViewState data. Sitecore has since released patches for this vulnerability, but unpatched systems remain at risk.
Zero-day exploitation is the starting point. The attackers probed internet-facing Sitecore instances and delivered a malicious ViewState payload that bypassed validation and led to remote code execution. This gave them a foothold on targeted servers.
Once inside, UAT-8837 shifted to reconnaissance and lateral expansion:
The toolset observed includes:
In at least one incident, the group exfiltrated a dynamic library (DLL) from a victim product, likely to support future supply-chain or trojanization campaigns.
Cisco Talos assesses UAT-8837’s operations with medium confidence as tied to China-nexus activities, based on overlaps with known tactics, techniques, and procedures (TTPs) of other threat groups attributed to Chinese state interests.
Unlike espionage campaigns that focus on long-term intelligence collection, UAT-8837’s current focus appears squarely on gaining initial access and footholds inside high-value networks. Once inside, the group collects credentials and network configuration details that can be used to scale access or pivot deeper into organizations.
The targeting of North American critical infrastructure mirrors broader geopolitical concerns about state-linked cyber operations that aim to probe and potentially weaken essential systems. Governments and cybersecurity agencies in multiple countries have recently issued advisories on the rising threats to operational technology (OT) and critical networks.
This zero-day exploit campaign follows earlier observations of the same vulnerability being abused by threat actors deploying malware inside vulnerable Sitecore environments. In those cases, attackers used exposed machine keys from older documentation to bypass validation, achieve remote code execution, deploy reconnaissance malware such as WeepSteel, and lay groundwork for further compromise.
Sitecore and industry partners recommended rotating machine keys and applying security updates to prevent exploitation. The issue underscored how insecure configurations in widely used applications offer attackers simple entry points into large enterprise systems.
Immediate Actions
Longer-Term Strategy
An advanced threat actor with apparent ties to China has leveraged a high-severity zero-day in a popular web platform to breach critical infrastructure organizations. The attack path combined vulnerability exploitation, credential harvesting, and open-source tooling to establish and maintain access. For defenders and security teams, this incident is a reminder that unpatched software, even in niche platforms like CMS products, can become the weakest link in enterprise defenses. ([BleepingComputer][1])

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.