CVE-2025-66625
📋 TL;DR
This vulnerability in Umbraco CMS allows attackers with backoffice access to enumerate arbitrary files on the server filesystem by exploiting predictable temporary file paths during dictionary uploads. The error responses (HTTP 500 vs 404) reveal file existence, and in some configurations, incomplete cleanup may expose Windows NTLM hashes. Only affects Umbraco installations with backoffice access.
💻 Affected Systems
- Umbraco CMS
📦 What is this software?
Umbraco Cms by Umbraco
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains file existence enumeration capability, potentially discovers sensitive file locations, and in specific configurations obtains NTLM hashes that could be used for pass-the-hash attacks.
Likely Case
Information disclosure allowing attackers to map server filesystem structure and confirm existence of sensitive files, facilitating further targeted attacks.
If Mitigated
Limited information disclosure with no file content access, minimal impact if proper access controls and monitoring are in place.
🎯 Exploit Status
Exploitation requires authenticated backoffice access. Attack methodology is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.12.1
Vendor Advisory: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hfv2-pf68-m33x
Restart Required: Yes
Instructions:
1. Backup your Umbraco installation and database. 2. Update to Umbraco CMS version 13.12.1 or later. 3. Restart the application pool/IIS service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Backoffice Access
allLimit backoffice access to trusted users only using IP restrictions and strong authentication.
Implement WAF Rules
allConfigure web application firewall to block requests to predictable temporary file paths.
🧯 If You Can't Patch
- Implement strict access controls to limit backoffice access to minimum necessary users
- Monitor for unusual file enumeration patterns in application logs
🔍 How to Verify
Check if Vulnerable:
Check Umbraco version in web.config or via backoffice Settings > Updates section. If version is between 10.0.0 and 13.12.0 inclusive, system is vulnerable.Check Version:
Check web.config file for <add key="umbracoConfigurationStatus" value="X.X.X" /> or view in backoffice Settings > UpdatesVerify Fix Applied:
Confirm Umbraco version is 13.12.1 or later. Test dictionary upload functionality to ensure proper temporary file handling.📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP 500 errors for predictable file paths
- Unusual dictionary upload activity from single user
- Pattern of file existence checks in error logs
Network Indicators:
- Repeated requests to /umbraco/backoffice/ paths with predictable file patterns
- Unusual spike in 404/500 responses
SIEM Query:
source="umbraco_logs" AND (status=500 OR status=404) AND uri_path="/umbraco/backoffice/*" | stats count by src_ip, uri_path