The China-nexus threat actor UAT-8837 is actively targeting North American critical infrastructure organizations, primarily gaining initial access through exploitation of public-facing application vulnerabilities. Recent activity includes exploitation of CVE-2025-53690, a ViewState deserialization zero-day vulnerability in Sitecore products, enabling pre-authentication remote code execution. Organizations should immediately patch Sitecore deployments affected by CVE-2025-53690 and monitor for post-exploitation activity consistent with UAT-8837 behavior. FortiGuard Labs is providing ongoing threat monitoring, IPS signatures, antivirus/behavior detection, and IOC blocking.
What is the Attack? An active campaign has been linked, with medium confidence, to a threat actor designated UAT-8837, which Cisco Talos assesses as a China-nexus group targeting critical infrastructure organizations in North America. Observed activity includes targeted intrusions aimed at gaining initial access, credential harvesting, and internal reconnaissance. UAT-8837 primarily gains initial access by exploiting public-facing application vulnerabilities, including both known n-day flaws and previously undisclosed zero-day vulnerabilities. In recent activity, the actor exploited CVE-2025-53690, a ViewState deserialization zero-day vulnerability in Sitecore products, indicating access to advanced exploitation capabilities and potential use of zero-day exploits. Sitecore is a widely used digital experience platform (DXP) that provides content management, personalization and e-commerce capabilities for enterprises. The flaw enables preauthentication remote code execution (RCE) against internet-facing Sitecore deployments. What is the recommended Mitigation? • Organizations should immediately patch and remediate all exposed public-facing applications, with priority given to Sitecore deployments affected by CVE-2025-53690. Security Bulletin SC2025-005 • Defensive teams should monitor for post-exploitation activity consistent with UAT-8837 behavior. What FortiGuard Coverage is available? • FortiGuard Labs is actively monitoring this threat activity and will continue to provide updates as the situation evolves, including new intelligence, indicators, and protection guidance. • FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-53690. Intrusion Prevention | FortiGuard Labs • FortiGuard Antivirus & Behavior Detection: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats. • Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known linked Indicators of Compromise (IOCs), and the team is continuously monitoring for emerging threats and new IOCs. • FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.