cbcvebase.
CVE-2025-52488
published 2025-06-21

CVE-2025-52488: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM…

PriorityP185high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.34%
97.9th percentile
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
dnnsoftwarednn.platform
dnnsoftwarednn.platform>= 6.0.0 < 10.0.110.0.1
dnnsoftwaredotnetnuke>= 6.0.0 < 10.0.110.0.1
msrccbl2_kernel_5.15.176.3-1_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.182.1-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

url/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx?PortalID=0&storageFolderID=1&overrideFiles=false
path/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx
bytes
%EF%BC%BC%EF%BC%BC<interactsh-url>%EF%BC%BC%EF%BC%BCc$%EF%BC%BC%EF%BC%BCan.jpg
  • Detect exploit attempts by monitoring POST requests to the DNNConnect CKE FileUploader endpoint containing Unicode fullwidth reverse solidus characters (U+FF3C, encoded as %EF%BC%BC) in the multipart filename field, which are used to construct a UNC path to an attacker-controlled SMB server after Windows Unicode normalization.
  • Confirm DNN presence on a target by checking for the 'dnn_IsMobile' Set-Cookie header in HTTP responses, or for body strings 'dotnetnuke', 'dnnconnect', or 'runtime error'.
  • Fingerprint DNN installations via Shodan using favicon hash -1465479343 or FOFA icon_hash "-1465479343" to identify exposed targets.
  • The attack is unauthenticated (no auth required) and targets the file upload endpoint with a crafted filename using Unicode fullwidth backslashes that normalize to standard backslashes, forming a UNC path (\\<attacker-smb>\c$\an.jpg) that triggers an outbound SMB connection leaking NTLM hashes.
  • Monitor for outbound SMB (TCP 445) connections from the DNN web server process to external/unexpected hosts, which would indicate successful NTLM hash leakage triggered by this vulnerability.
  • The exploit uses a multipart/form-data POST with Content-Type boundary '----WebKitFormBoundaryXXXXXXXXXXXX' and a filename containing percent-encoded Unicode fullwidth characters; look for %EF%BC%BC sequences in multipart filename fields in web server logs.
  • ·The vulnerability affects DNN Platform versions 6.0.0 up to (but not including) 10.0.1; version 10.0.1 contains the patch. Ensure version checks account for this full range.
  • ·The Nuclei template requires an OOB/interactsh interaction (DNS callback) to confirm exploitation; DNS interaction alone is the confirmation signal, meaning network-level egress blocking of SMB (TCP 445) to external hosts would prevent both exploitation and OOB confirmation.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.