CVE-2025-64095
published 2025-10-28CVE-2025-64095: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.66%
98.6th percentile
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dnn.platform | < 10.1.1 | 10.1.1 |
| dnnsoftware | dnn.platform | >= 0 < 10.1.1 | 10.1.1 |
| dnnsoftware | dotnetnuke | < 10.1.1 | 10.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandoverrideFiles=1&mode=Default&storageFolderID=1&portalID=0
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DNN (DotNetNuke) Unrestricted Arbitrary File Upload (CVE-2025-64095)"; flow:established,to_server; http.uri; content:"/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx"; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; http.request_body; content:"name|3d 22|file|22 3b|"; http.method; content:"POST"; reference:url,github.com/h4x0r-dz/CVE-2025-64095---DNN-Unauthenticated-arbitrary-file-upload; reference:cve,2025-64095; classtype:web-application-attack; sid:2065913; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_25, cve CVE_2025_64095, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect unauthenticated POST requests to the DNN CKE file uploader endpoint; no authentication headers/cookies are required by the attacker, so absence of a session cookie combined with a multipart upload to this path is highly suspicious. ↗
- →Successful exploitation returns a JSON response body containing both '{"group"' and 'delete_type' with HTTP 200 and Content-Type: text/plain — use these as confirmation matchers.
- →The exploit sets 'overrideFiles=1' in the multipart body to overwrite existing files; alert on this parameter value in POST bodies to the uploader path.
- →Identify DNN instances via Shodan/FOFA using the Set-Cookie header value 'dnn_IsMobile' or favicon hash -1465479343 for asset discovery and pre-exploitation scanning.
- →The Snort/Suricata rule (ET sid:2065913) fires on POST to the FileUploader.ashx URI with multipart/form-data content-type and a 'name="file";' field in the request body — deploy at perimeter and internal SSL-decrypting sensors.
- ·The vulnerability is specific to the default HTML editor provider (DNNConnect.CKE); installations that have replaced or disabled this provider may not be exposed. ↗
- ·The Snort rule metadata specifies 'tls_state TLSDecrypt', meaning the rule will only fire on TLS-encrypted traffic if the sensor is performing SSL/TLS inspection (SSLDecrypt deployment).
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
osv·2025-10-29
CVE-2025-64095 [CRITICAL] DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
### Summary
The default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files.
### Description
An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads.
GHSA
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
ghsa·2025-10-29
CVE-2025-64095 [CRITICAL] CWE-434 DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
### Summary
The default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files.
### Description
An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads.
VulnCheck
dnnsoftware DotNetNuke (DNN) Unrestricted Upload of File with Dangerous Type
vulncheck·2025·CVSS 10.0
CVE-2025-64095 [CRITICAL] dnnsoftware DotNetNuke (DNN) Unrestricted Upload of File with Dangerous Type
dnnsoftware DotNetNuke (DNN) Unrestricted Upload of File with Dangerous Type
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1.
Affected: dnnsoftware DotNetNuke (DNN)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-64095; https://dashboard.sh
Suricata
ET WEB_SPECIFIC_APPS DNN (DotNetNuke) Unrestricted Arbitrary File Upload (CVE-2025-64095)
suricata·2025-11-25·CVSS 10.0
CVE-2025-64095 [CRITICAL] ET WEB_SPECIFIC_APPS DNN (DotNetNuke) Unrestricted Arbitrary File Upload (CVE-2025-64095)
ET WEB_SPECIFIC_APPS DNN (DotNetNuke) Unrestricted Arbitrary File Upload (CVE-2025-64095)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DNN (DotNetNuke) Unrestricted Arbitrary File Upload (CVE-2025-64095)"; flow:established,to_server; http.uri; content:"/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx"; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; http.request_body; content:"name|3d 22|file|22 3b|"; http.method; content:"POST"; reference:url,github.com/h4x0r-dz/CVE-2025-64095---DNN-Unauthenticated-arbitrary-file-upload; reference:cve,2025-64095; classtype:web-application-attack; sid:2065913; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_25, cve CVE_2025_64095, deployment Perimeter, deploy
Nuclei
DNN - Unrestricted Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2025-64095 [CRITICAL] DNN - Unrestricted Arbitrary File Upload
DNN - Unrestricted Arbitrary File Upload
DNN (formerly DotNetNuke) \u003C 10.1.1 contains an unrestricted file upload vulnerability caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting existing files, letting unauthenticated attackers deface websites and inject XSS payloads, exploit requires no authentication.
Template:
id: CVE-2025-64095
info:
name: DNN - Unrestricted Arbitrary File Upload
author: DhiyaneshDk,pussycat0x
severity: critical
description: |
DNN (formerly DotNetNuke) \u003C 10.1.1 contains an unrestricted file upload vulnerability caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting existing files, letting unauthenticated attackers deface websites and inject XSS payloads, exploit requir
HackerOne
DNN - Unrestricted Arbitrary File Upload #████████
hackerone·2026-01-12·CVSS 10.0
CVE-2025-64095 [CRITICAL] DNN - Unrestricted Arbitrary File Upload #████████
DNN - Unrestricted Arbitrary File Upload #████████
**Description:**
DNN (formerly DotNetNuke) \u003C 10.1.1 contains an unrestricted file upload vulnerability caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting existing files, letting unauthenticated attackers deface websites and inject XSS payloads, exploit requires no authentication.
## References
https://nvd.nist.gov/vuln/detail/CVE-2025-64095
## Impact
Unauthenticated attackers can upload and overwrite files, leading to website defacement and cross-site scripting attacks.
## System Host(s)
█████
## Affected Product(s) and Version(s)
## CVE Numbers
## Steps to Reproduce
#Vulnerable subdomain
https://██████████/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-10-28
Published
Exploited in the wild