Umbraco CMS
CVE-2025-67288
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Upload normally requires an authenticated backoffice user (PR:L) and a non-default insecure config to reach execution (AC:H); successful RCE yields full C/I/A on the host (S:U).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.
AnalysisAI
Arbitrary code execution in Umbraco CMS 16.3.3 is claimed via upload of a crafted PDF file that abuses insufficient file-type validation (CWE-434), potentially leading to server-side code execution. The finding is explicitly DISPUTED by Umbraco, which states that enforcing upload validation is the deploying administrator's responsibility per documentation, mirroring the earlier CVE-2023-49279. No public exploit is confirmed and EPSS is low (0.50%, 39th percentile), so despite the nominal CVSS 10.0 this reflects a contested, configuration-dependent condition rather than a proven turnkey RCE.
Technical ContextAI
Umbraco CMS is a widely used open-source ASP.NET (.NET) content management system whose backoffice media/upload handlers accept files that are later served or processed by the application. The CWE-434 (Unrestricted Upload of File with Dangerous Type) root cause here is that Umbraco, by design, delegates allow-list/deny-list enforcement of uploadable extensions and content validation to the administrator's configuration (e.g., the disallowed file-upload settings) rather than hard-blocking dangerous types itself. The single CPE identified is cpe:2.3:a:umbraco:umbraco_cms:16.3.3, and the reported vector (a 'crafted PDF') implies content that is either mis-typed or processed in a way that yields code execution only when the surrounding environment/config permits it - the same class of dispute raised in the related CVE-2023-49279.
RemediationAI
No vendor-released patch is identified at time of analysis, and Umbraco disputes that a code fix is warranted, framing this as a configuration responsibility. The actionable primary control is to harden Umbraco's upload settings: restrict allowed upload extensions via Umbraco's disallowed/allowed file-type configuration (block executable and script-capable types), ensure the media/upload directory is served with static-only handling so uploaded files cannot be executed by the web server, and confine backoffice upload permissions to trusted users only - trade-off: overly strict allow-lists may block legitimate editor workflows and require content-team coordination. As additional compensating controls, place uploaded content on a separate non-executable path or storage, add a WAF/upload-inspection rule for polyglot/PDF-mismatch content, and monitor the media directory for unexpected file types - noting these add operational overhead and can produce false positives. Track the vendor's guidance and the related CVE-2023-49279 documentation; consult https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288 for the reported technique, and upgrade if Umbraco later publishes a patched release.
More in Umbraco Cms
View allUmbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx
Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package
A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. Rated medium severity (CVSS 6.9), thi
A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scrip
An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, whi
Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package f
The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" param
Umbraco is a ASP.NET CMS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authenticat
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. Rated medium severity (CVSS 5.4), this vulnerabili
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. Rated medium severity (CVSS 5.4), this vulnerabili
Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl par
Umbraco is a free and open source .NET content management system. Rated high severity (CVSS 8.8), this vulnerability is
Share
External POC / Exploit Code
Leaving vuln.today