CVE-2025-67288 – An arbitrary file upload vulnerability in Umbra... (How to Fix)

Q: What is the severity of CVE-2025-67288?

CVE-2025-67288 has a CVSS score of 10.0 (CRITICAL). An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to upload malicious PDF files that can lead to remote code execution. This affects administrators who have not implemented proper file validation controls. The vendor disputes this as a vulnerability, stating file validation responsibility lies with system administrators implementing Umbraco.

📋 TL;DR

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to upload malicious PDF files that can lead to remote code execution. This affects administrators who have not implemented proper file validation controls. The vendor disputes this as a vulnerability, stating file validation responsibility lies with system administrators implementing Umbraco.

💻 Affected Systems

Products:

Umbraco CMS

Versions: v16.3.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when file upload functionality is enabled without proper validation. The vendor disputes this as a CMS vulnerability, stating validation responsibility lies with implementers.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the web server, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.

🟢

If Mitigated

No impact if proper file type validation and upload restrictions are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to file upload functionality. Public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: http://umbraco.com

Restart Required: No

Instructions:

No official patch available as vendor disputes this as a vulnerability. Implement file validation controls as described in Umbraco documentation.

🔧 Temporary Workarounds

Implement File Type Validation

all

Restrict uploaded files to specific allowed types and validate file signatures

Upload Directory Restrictions

all

Configure upload directories to prevent execution of uploaded files

🧯 If You Can't Patch

Disable file upload functionality entirely if not required
Implement web application firewall rules to block malicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check if Umbraco version is 16.3.3 and file upload functionality exists without proper validation controls.

Check Version:

Check Umbraco version in administration panel or web.config file

Verify Fix Applied:

Test file upload functionality with malicious PDF files to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads, particularly PDF files with unusual sizes or names
Webshell creation in upload directories

Network Indicators:

HTTP POST requests with file uploads containing executable code patterns

SIEM Query:

source="web_server" AND (method="POST" AND uri="*/upload*" AND file_extension="pdf")

📊 Metadata

CVE ID: CVE-2025-67288

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: December 22, 2025

Last Updated: February 8, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

http://umbraco.com Product
https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67288, you might also want to check these: