CVE-2012-10054 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2012-10054?

CVE-2012-10054 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to upload and execute arbitrary ASPX scripts on Umbraco CMS servers. Attackers can achieve remote code execution by exploiting a path traversal flaw in the SOAP endpoint. All Umbraco CMS installations prior to version 4.7.1 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload and execute arbitrary ASPX scripts on Umbraco CMS servers. Attackers can achieve remote code execution by exploiting a path traversal flaw in the SOAP endpoint. All Umbraco CMS installations prior to version 4.7.1 are affected.

💻 Affected Systems

Products:

Umbraco CMS

Versions: All versions prior to 4.7.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires IIS with ASP.NET support. The vulnerable endpoint is enabled by default.

📦 What is this software?

Umbraco Cms by Umbraco

View all CVEs affecting Umbraco Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.

🟢

If Mitigated

Attack blocked at network perimeter or detected before successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module available. Exploitation requires only HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.1

Vendor Advisory: https://web.archive.org/web/20111017174609/http://umbraco.codeplex.com/releases/view/73692

Restart Required: Yes

Instructions:

1. Backup your Umbraco installation and database. 2. Download Umbraco 4.7.1 or later. 3. Replace all files with the new version. 4. Restart IIS or the application pool.

🔧 Temporary Workarounds

Block vulnerable endpoint

windows

Restrict access to the codeEditorSave.asmx SOAP endpoint using web server rules.

# IIS URL Rewrite rule to block /umbraco/webservices/codeEditorSave.asmx
<rule name="Block Umbraco RCE" stopProcessing="true">
  <match url="umbraco/webservices/codeEditorSave.asmx" />
  <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access denied" />
</rule>

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Umbraco servers
Deploy web application firewall (WAF) with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if /umbraco/webservices/codeEditorSave.asmx is accessible without authentication and Umbraco version is below 4.7.1.

Check Version:

Check /umbraco/version.txt or examine web.config for Umbraco version information

Verify Fix Applied:

Verify Umbraco version is 4.7.1 or higher and the codeEditorSave.asmx endpoint is no longer accessible or properly secured.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /umbraco/webservices/codeEditorSave.asmx with SaveDLRScript operation
File creation events in /umbraco/ directory with .aspx extension
Unusual process execution from w3wp.exe

Network Indicators:

SOAP requests to codeEditorSave.asmx endpoint from untrusted sources
Upload of ASPX files to Umbraco paths

SIEM Query:

source="IIS" AND (url="*codeEditorSave.asmx*" OR url="*/umbraco/*.aspx")

📊 Metadata

CVE ID: CVE-2012-10054

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 75.94% exploit probability (98.9th percentile)

Published: August 13, 2025

Last Updated: September 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-10054, you might also want to check these: