CVE-2019-25137
📋 TL;DR
This vulnerability allows authenticated administrators in Umbraco CMS to execute arbitrary code remotely via XSLT processing. Attackers can inject malicious scripts through the xsltVisualize.aspx page, leading to full system compromise. Only administrators with access to the developer tools are affected.
💻 Affected Systems
- Umbraco CMS
📦 What is this software?
Umbraco Cms by Umbraco
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the server, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Authenticated administrator or compromised admin account executes arbitrary code to steal data, modify content, or establish foothold for further attacks.
If Mitigated
Limited impact due to proper access controls, monitoring, and network segmentation preventing lateral movement.
🎯 Exploit Status
Multiple public exploits available, requires authenticated admin access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 7.15.10 and 8.0+
Vendor Advisory: https://umbraco.com/blog/security-advisory-2019-10-28/
Restart Required: No
Instructions:
1. Upgrade to Umbraco 8.0 or later 2. Apply security patches for 7.x versions 3. Update via NuGet package manager or manual installation
🔧 Temporary Workarounds
Restrict Developer Access
allRemove or restrict access to developer/Xslt/xsltVisualize.aspx page
Remove or rename xsltVisualize.aspx file
Add IP restrictions to developer directory
Disable XSLT Script Execution
windowsConfigure application to disable msxsl:script execution
Modify web.config to restrict XSLT settings
🧯 If You Can't Patch
- Implement strict access controls for admin accounts with MFA
- Monitor and alert on access to xsltVisualize.aspx page
🔍 How to Verify
Check if Vulnerable:
Check Umbraco version in web.config or admin panel against affected versionsCheck Version:
Check Umbraco.Core.dll version or admin dashboardVerify Fix Applied:
Verify version is 8.0+ or patched 7.x version, test xsltVisualize.aspx access📡 Detection & Monitoring
Log Indicators:
- Access to /developer/Xslt/xsltVisualize.aspx
- Unusual process creation from w3wp.exe or dotnet
Network Indicators:
- POST requests to xsltVisualize.aspx with msxsl:script content
- Outbound connections from web server to unknown IPs
SIEM Query:
source="web_logs" AND uri="/developer/Xslt/xsltVisualize.aspx" AND status=200🔗 References
- https://0xdf.gitlab.io/2020/09/05/htb-remote.html
- https://github.com/Ickarah/CVE-2019-25137-Version-Research
- https://github.com/noraj/Umbraco-RCE
- https://www.exploit-db.com/exploits/46153
- https://0xdf.gitlab.io/2020/09/05/htb-remote.html
- https://github.com/Ickarah/CVE-2019-25137-Version-Research
- https://github.com/noraj/Umbraco-RCE
- https://www.exploit-db.com/exploits/46153
