Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

DNN Vulnerability Let Attackers Steal NTLM Credentials via Unicode Normalization Bypass

Posted on July 8, 2025July 9, 2025 By CWS

A important vulnerability in DNN (previously DotNetNuke) that enables attackers to steal NTLM credentials by a classy Unicode normalization bypass approach. 

The vulnerability, tracked as CVE-2025-52488, impacts one of many oldest open-source content material administration programs and demonstrates how defensive coding measures might be circumvented by intelligent exploitation of Home windows and .NET quirks.

Key Takeaways1. CVE-2025-52488 in DNN permits attackers to steal NTLM credentials with out requiring person authentication.2. Particular Unicode characters (U+FF0E, U+FF3C) normalize into dots and backslashes after passing safety validation, bypassing safety mechanisms.3. Malicious filenames remodel into UNC paths (attacker.comshare) that set off SMB connections to attacker-controlled servers through File.Exists.4. Permits NTLM credential theft affecting enterprises and demonstrating how defensive coding might be circumvented by character encoding.

NTLM Credential Leak

Searchlight Cyber experiences that the vulnerability exploits a elementary weak spot in how .NET purposes deal with file system operations on Home windows machines. 

When attackers management file paths, they’ll present UNC (Common Naming Conference) paths that set off out-of-band calls to attacker-controlled SMB servers. 

This mechanism turns into notably harmful when mixed with features like File.Exists, System.Web.HttpRequest, and System.Web.WebClient, which may inadvertently leak NTLM credentials to malicious servers.

The assault leverages the Path.Mix operate’s habits in C#, the place if the second argument incorporates an absolute path, the primary argument is totally ignored. 

In response to Microsoft documentation, “if an argument apart from the primary incorporates a rooted path, any earlier path elements are ignored, and the returned string begins with that rooted path part.” 

This habits, whereas documented, ceaselessly results in safety vulnerabilities in C# codebases.

Technical evaluation reveals that the core of this vulnerability lies in DNN’s Unicode dealing with course of. 

The applying implements a number of safety boundaries to stop malicious file uploads, together with Path.GetFileName calls, regex replacements, and validation features like Utility.ValidateFileName and Utility.CleanFileName. 

Nevertheless, these safety checks happen earlier than the essential Utility.ConvertUnicodeChars operate. The susceptible code part reveals:

The ConvertUnicodeChars operate incorporates the important vulnerability on this line:

This normalization course of converts Unicode characters to ASCII equivalents, successfully bypassing all beforehand applied safety measures.

Researchers found particular Unicode characters that normalize into harmful path elements:

%EFpercentBCpercent8E (U+FF0E): “FULLWIDTH FULL STOP” normalizes to “.”

%EFpercentBCpercentBC (U+FF3C): “FULLWIDTH REVERSE SOLIDUS” normalizes to “”

These characters enable attackers to assemble malicious filenames that seem protected throughout preliminary validation however remodel into UNC paths after normalization. The exploit payload demonstrates this:

When processed, this turns into: attacker.comsharefile.jpg, triggering an SMB connection that leaks NTLM credentials to the attacker’s Responder server.

Threat FactorsDetailsAffected ProductsDNN – All variations with DNNConnect.CKE HTML Editor ProviderImpactNTLM credential theftExploit Stipulations– No authentication required (pre-authentication vulnerability)- Goal system operating DNN with file add functionality- Home windows surroundings with SMB enabled- Attacker-controlled server to obtain NTLM hashesCVSS 3.1 Score8.6 (Excessive)

This vulnerability highlights the complexity of Unicode dealing with in net purposes and demonstrates how defensive programming measures might be undermined by character encoding transformations. 

The pre-authentication nature of this vulnerability makes it notably harmful, because it requires no person credentials to use and may compromise area credentials by NTLM relay assaults.

Examine reside malware habits, hint each step of an assault, and make sooner, smarter safety selections -> Strive ANY.RUN now 

Cyber Security News Tags:Attackers, Bypass, Credentials, DNN, Normalization, NTLM, Steal, Unicode, Vulnerability

Post navigation

Previous Post: Anatsa Android Banking Trojan Hits 90,000 Users with Fake PDF App on Google Play
Next Post: How To Defend Against These Phishing Kit Attacks 

Related Posts

Splunk Universal Forwarder on Windows Lets Non-Admin Users Access All Contents Cyber Security News
Microsoft Windows 11 Insider Preview Build 26200.5600 Released Cyber Security News
Qualcomm Adreno GPU 0-Day Vulnerabilities Exploited to Attack Android Users Cyber Security News
Androxgh0st Botnet Operators Exploiting US University For Hosting C2 Logger Cyber Security News
Malicious Python Package Mimic as Attacking Discord Developers With Malicious Remote Commands Cyber Security News
Anthropic’s MCP Server Vulnerability Let Attackers Escape Server’s Sandbox and Execute Arbitrary Code Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • How to Manage Security Patches in Organizations
  • Gold Melody IAB Exploits Exposed ASP.NET Machine Keys for Unauthorized Access to Targets
  • Top 5 Remote-Access And RMM Tools Most Abused By Threat Actors 
  • Reflectiz Now Available on the Datadog Marketplace
  • Microsoft Patches Wormable RCE Vulnerability in Windows and Windows Server

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • How to Manage Security Patches in Organizations
  • Gold Melody IAB Exploits Exposed ASP.NET Machine Keys for Unauthorized Access to Targets
  • Top 5 Remote-Access And RMM Tools Most Abused By Threat Actors 
  • Reflectiz Now Available on the Datadog Marketplace
  • Microsoft Patches Wormable RCE Vulnerability in Windows and Windows Server

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News