CVE-2025-68924 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2025-68924?

CVE-2025-68924 has a CVSS score of 7.5 (HIGH). This vulnerability allows authenticated attackers in UmbracoForms to execute arbitrary code by supplying a malicious WSDL URL as a data source. It affects all UmbracoForms installations up to version 8.13.16 where users have authenticated access to configure data sources.

📋 TL;DR

This vulnerability allows authenticated attackers in UmbracoForms to execute arbitrary code by supplying a malicious WSDL URL as a data source. It affects all UmbracoForms installations up to version 8.13.16 where users have authenticated access to configure data sources.

💻 Affected Systems

Products:

UmbracoForms

Versions: through 8.13.16

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to configure data sources in UmbracoForms.

📦 What is this software?

Umbraco Forms by Umbraco

View all CVEs affecting Umbraco Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the web server, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web shell deployment, data exfiltration, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and input validation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.13.17 or later

Vendor Advisory: https://github.com/advisories/GHSA-vrgw-pc9c-qrrc

Restart Required: Yes

Instructions:

1. Update UmbracoForms package via NuGet or package manager. 2. Update to version 8.13.17 or higher. 3. Restart the application pool or web server. 4. Verify the update in Umbraco backoffice.

🔧 Temporary Workarounds

Restrict WSDL URL Configuration

all

Limit which users can configure data source URLs in UmbracoForms to only trusted administrators.

Network Segmentation

all

Block outbound connections from Umbraco servers to untrusted networks to prevent fetching malicious WSDL files.

🧯 If You Can't Patch

Implement strict access controls to limit who can configure UmbracoForms data sources
Deploy web application firewall rules to block suspicious WSDL URL patterns

🔍 How to Verify

Check if Vulnerable:

Check UmbracoForms package version in Umbraco backoffice under Settings > Packages > Installed Packages.

Check Version:

Check the Umbraco backoffice or examine the UmbracoForms.dll file version.

Verify Fix Applied:

Confirm UmbracoForms version is 8.13.17 or higher in the installed packages list.

📡 Detection & Monitoring

Log Indicators:

Unusual WSDL URL configurations in Umbraco logs
Suspicious process execution from Umbraco worker processes

Network Indicators:

Outbound connections from Umbraco server to unusual domains fetching WSDL files

SIEM Query:

source="umbraco" AND ("WSDL" OR "datasource") AND url="*://*"

📊 Metadata

CVE ID: CVE-2025-68924

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-829

EPSS Score: 0.18% exploit probability (39.1th percentile)

Published: January 16, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/advisories/GHSA-vrgw-pc9c-qrrc VDB Entry,Vendor Advisory,Mitigation
https://our.umbraco.com/packages/developer-tools/umbraco-forms/ Release Notes
https://www.nuget.org/packages/UmbracoForms Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68924, you might also want to check these: