CVE-2012-10054

CRITICAL

Umbraco CMS <4.7.1 - RCE

Title source: llm

Description

Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappswindows

https://www.exploit-db.com/exploits/19671

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Toby Clarke, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/umbraco_upload_aspx.rb

View Code ZIP pw:eip

References (6)

[Product] https://github.com/umbraco/Umbraco-CMS

[Exploit] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/umbraco_upload_aspx.rb

[Patch, Third Party Advisory] https://web.archive.org/web/20111017174609/http://umbraco.codeplex.com/releases/view/73692

[Patch] https://web.archive.org/web/20120707033729/http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html

[Exploit] https://www.exploit-db.com/exploits/19671

[Third Party Advisory] https://www.vulncheck.com/advisories/umbraco-cms-rce

Scores

CVSS v3 9.8

EPSS 0.7594

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22 CWE-434

Status published

Products (2)

Umbraco/CMS < 4.7.1

umbraco/umbraco_cms < 4.7.1

Published Aug 13, 2025

Tracked Since Feb 18, 2026