CVE-2012-10054

CRITICAL

Umbraco CMS < 4.7.1 - Unauthenticated Remote Code Execution via codeEditorSave.asmx SaveDLRScript Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-10054. PoCs published by Metasploit, Toby Clarke, juan vazquez, including Metasploit module exploits/windows/http/umbraco_upload_aspx.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated file upload vulnerability in Umbraco CMS 4.7.0.378 via a SOAP request to codeEditorSave.asmx, allowing arbitrary ASPX file upload and remote code execution. The exploit leverages path traversal to place the payload in a web-accessible directory.

Description

Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappswindows
https://www.exploit-db.com/exploits/19671

This Metasploit module exploits an unauthenticated file upload vulnerability in Umbraco CMS 4.7.0.378 via a SOAP request to codeEditorSave.asmx, allowing arbitrary ASPX file upload and remote code execution. The exploit leverages path traversal to place the payload in a web-accessible directory.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Umbraco CMS 4.7.0.378
No auth needed
Prerequisites: Network access to the Umbraco CMS instance · Write permissions on the target directory
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Toby Clarke, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/umbraco_upload_aspx.rb

This Metasploit module exploits a path traversal and unauthorized file upload vulnerability in Umbraco CMS 4.7.0.378 to achieve remote command execution. It uploads an ASPX payload via a crafted SOAP request, executes it, and attempts cleanup if a Meterpreter session is established.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Umbraco CMS 4.7.0.378
No auth needed
Prerequisites: Target running Umbraco CMS 4.7.0.378 · Network access to the target · IIS APPPOOL\ASP.NET v4.0 user with write permissions on the Temp folder
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.8378
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-22 CWE-434
Status published
Products (2)
Umbraco/CMS < 4.7.1
umbraco/umbraco_cms < 4.7.1
Published Aug 13, 2025
Tracked Since Feb 18, 2026