cbcvebase.
CVE-2025-64095
published 2025-10-28

CVE-2025-64095: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.66%
98.6th percentile
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
dnnsoftwarednn.platform< 10.1.110.1.1
dnnsoftwarednn.platform>= 0 < 10.1.110.1.1
dnnsoftwaredotnetnuke< 10.1.110.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx
commandoverrideFiles=1&mode=Default&storageFolderID=1&portalID=0
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DNN (DotNetNuke) Unrestricted Arbitrary File Upload (CVE-2025-64095)"; flow:established,to_server; http.uri; content:"/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx"; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; http.request_body; content:"name|3d 22|file|22 3b|"; http.method; content:"POST"; reference:url,github.com/h4x0r-dz/CVE-2025-64095---DNN-Unauthenticated-arbitrary-file-upload; reference:cve,2025-64095; classtype:web-application-attack; sid:2065913; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_25, cve CVE_2025_64095, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect unauthenticated POST requests to the DNN CKE file uploader endpoint; no authentication headers/cookies are required by the attacker, so absence of a session cookie combined with a multipart upload to this path is highly suspicious.
  • Successful exploitation returns a JSON response body containing both '{"group"' and 'delete_type' with HTTP 200 and Content-Type: text/plain — use these as confirmation matchers.
  • The exploit sets 'overrideFiles=1' in the multipart body to overwrite existing files; alert on this parameter value in POST bodies to the uploader path.
  • Identify DNN instances via Shodan/FOFA using the Set-Cookie header value 'dnn_IsMobile' or favicon hash -1465479343 for asset discovery and pre-exploitation scanning.
  • The Snort/Suricata rule (ET sid:2065913) fires on POST to the FileUploader.ashx URI with multipart/form-data content-type and a 'name="file";' field in the request body — deploy at perimeter and internal SSL-decrypting sensors.
  • ·The vulnerability is specific to the default HTML editor provider (DNNConnect.CKE); installations that have replaced or disabled this provider may not be exposed.
  • ·The Snort rule metadata specifies 'tls_state TLSDecrypt', meaning the rule will only fire on TLS-encrypted traffic if the sensor is performing SSL/TLS inspection (SSLDecrypt deployment).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.