Unauthenticated File Upload Vulnerability in DNN CMS by DNN Software
CVE-2025-64095
Key Information:
- Vendor
Dnnsoftware
- Status
- Vendor
- CVE Published:
- 28 October 2025
Badges
What is CVE-2025-64095?
CVE-2025-64095 is a significant vulnerability found in DNN CMS, an open-source web content management system created for the Microsoft ecosystem. This platform is often employed by organizations to manage their websites and facilitate web content workflows. The vulnerability arises from a flaw in the default HTML editor provider, which allows unauthenticated users to upload files. Specifically, this issue enables attacks where an adversary can upload malicious files or replace existing files, leading to unauthorized access and manipulation of website content. Such exploitation could result in website defacement or the injection of malicious code, particularly through cross-site scripting (XSS) payloads. The severity of this vulnerability necessitated a fix, which was incorporated in version 10.1.1 of DNN CMS.
Potential impact of CVE-2025-64095
-
Website Defacement: The vulnerability allows unauthorized file uploads and overwrites, enabling attackers to modify the appearance of a website. This can damage the organization’s reputation and erode user trust.
-
Injection of Malicious Code: Through the upload functionality, attackers could inject XSS payloads, potentially compromising visitor data and leading to broader security breaches within the organization.
-
Data Exposure and Unauthorized Access: If an attacker is able to manipulate files or gain control through this vulnerability, they may access sensitive information or exploit further weaknesses within the organization’s infrastructure, leading to more severe security incidents.
Affected Version(s)
Dnn.Platform < 10.1.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.