CVE-2022-22690
📋 TL;DR
CVE-2022-22690 allows attackers to overwrite the UmbracoApplicationUrl configuration in Umbraco CMS, enabling them to redirect password reset and user invitation links to malicious servers. This can lead to account takeover through token interception. Affects Umbraco CMS administrators and users of sites running vulnerable versions.
💻 Affected Systems
- Umbraco CMS
📦 What is this software?
Umbraco Cms by Umbraco
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of all user accounts, including administrators, leading to full site compromise and potential data exfiltration.
Likely Case
Targeted account takeover of specific users through malicious password reset links, potentially leading to privilege escalation.
If Mitigated
No impact if ApplicationUrl is properly configured or the system is patched.
🎯 Exploit Status
Exploitation requires no authentication and is straightforward once the vulnerability is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.0 and later
Vendor Advisory: https://umbraco.com/blog/security-advisory-20th-of-january-2022-patch-is-now-available/
Restart Required: Yes
Instructions:
1. Backup your Umbraco site and database. 2. Update Umbraco CMS to version 9.2.0 or later via NuGet package manager. 3. Restart the application pool or web server. 4. Verify the update by checking the Umbraco version in the backoffice.
🔧 Temporary Workarounds
Configure ApplicationUrl Manually
allExplicitly set the ApplicationUrl in Umbraco configuration to prevent attacker manipulation.
In appSettings.json or web.config, add: "Umbraco": { "CMS": { "Global": { "UmbracoApplicationUrl": "https://your-domain.com" } } }
🧯 If You Can't Patch
- Explicitly configure the UmbracoApplicationUrl setting in your configuration files.
- Implement network-level controls to restrict access to Umbraco backoffice from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check if Umbraco version is below 9.2.0 and if ApplicationUrl is not explicitly configured in appSettings.json or web.config.Check Version:
In Umbraco backoffice: Settings > Updates, or check the Umbraco.Core assembly version.Verify Fix Applied:
Confirm Umbraco version is 9.2.0 or higher via the backoffice Settings > Updates section, and verify ApplicationUrl is properly configured.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Umbraco configuration settings
- Failed login attempts followed by password reset requests
- Password reset requests from unexpected IP addresses
Network Indicators:
- Outbound connections to unusual domains from password reset processes
- HTTP requests with manipulated host headers to Umbraco endpoints
SIEM Query:
source="umbraco" AND (event="ConfigurationChange" OR event="PasswordReset") AND (url CONTAINS "malicious-domain" OR user_agent="attacker-tool")