Zoonop

DotNetNuke Vulnerability CVE-2025-52488 Exposes NTLM Hashes Pre-Authentication

Image for DotNetNuke Vulnerability CVE-2025-52488 Exposes NTLM Hashes Pre-Authentication

A critical security vulnerability, identified as CVE-2025-52488, has been discovered in DotNetNuke (DNN), an open-source content management system (CMS) widely used by enterprises. This flaw allows for pre-authentication NTLM hash leakage due to a complex interaction involving benign file operations, path handling, and Unicode normalization. The vulnerability could enable attackers to capture sensitive authentication credentials, posing a significant risk of unauthorized access and system compromise.

The issue stems from how DNN processes file uploads, specifically within the Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx endpoint. Security researcher "shubs" highlighted the danger, stating, > "Whenever I audit C# code, I look for benign file operations such as File.Exists(), especially if there's a preceding Path.Combine(). Read about how we leaked NTLM hashes pre-authentication in DotNetNuke (CVE-2025-52488) due to a perfect storm of issues."

The "perfect storm" involves the File.Exists() function, which can initiate an SMB connection if provided with a UNC path, and the Path.Combine() method, which ignores its first argument if the second argument (often user-controlled) is an absolute path. Crucially, a Unicode normalization routine in DNN's file name sanitization process converts certain full-width Unicode characters (e.g., U+FF0E for full stop, U+FF3C for backslash) into their standard ASCII equivalents after initial security checks. This bypasses validation, allowing an attacker to craft a malicious filename that, once normalized, becomes a UNC path like \\attacker.com\share.

When this crafted filename is passed to File.Exists() within the Path.Combine() context, the system attempts to resolve the attacker-controlled UNC path, inadvertently sending the server's NTLM hashes to an external, attacker-controlled SMB server. This pre-authentication exposure means an attacker does not need to be logged in to exploit the vulnerability. The leaked NTLM hashes can then be used for offline cracking or NTLM relay attacks, leading to credential theft and potential lateral movement within a network.

DotNetNuke, established in 2003, is a long-standing C# (.NET) based CMS. The vulnerability affects DNN.PLATFORM versions from 6.0.0 up to, but not including, 10.0.1. Users are strongly advised to upgrade to version 10.0.1 or later to mitigate this high-severity risk. Temporary measures, such as Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS), can help monitor and block suspicious traffic but do not address the underlying flaw.