Summary: Cisco Talos has identified a Chinese state-sponsored group (UAT-8837) actively exploiting a critical Sitecore CMS vulnerability (CVE-2025-53690) to breach critical infrastructure organizations. Once inside, the group disables RDP security features and deploys “EarthWorm” to tunnel traffic out of the secure network.
Business Impact: This highlights the risk of “Web-to-OT” pivoting. Attackers are using vulnerable public-facing websites (running Sitecore) as a stepping stone to reach internal Operational Technology (OT) networks that control physical machinery and utilities.
Why It Happened: Many organizations patch their OS and firewalls but neglect the Content Management System (CMS) layer. Sitecore is widely used in enterprise environments, making it a high-yield target for APTs looking for a foothold.
Recommended Executive Action: Audit your external web footprint for Sitecore instances. If found, verify they are patched against CVE-2025-53690. Ensure your web servers are in a DMZ and cannot directly initiate connections to your internal OT/production network.
Hashtags: #Sitecore #APT #China #CriticalInfrastructure #OTSecurity #CiscoTalos