CVE-2019-25137

HIGH

Umbraco CMS <7.15.10 - Authenticated RCE

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-25137. PoCs published by Gregory Draperi, Ickarah, dact91.

AI-analyzed exploit summary This exploit leverages an XSLT injection vulnerability in Umbraco CMS to achieve remote code execution by authenticated administrators. It uses a crafted XSLT payload with embedded C# code to execute arbitrary commands (e.g., calc.exe).

Description

Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

Exploits (3)

exploitdb WORKING POC

by Gregory Draperi · pythonwebappsaspx

https://www.exploit-db.com/exploits/46153

View Code ZIP pw:eip

This exploit leverages an XSLT injection vulnerability in Umbraco CMS to achieve remote code execution by authenticated administrators. It uses a crafted XSLT payload with embedded C# code to execute arbitrary commands (e.g., calc.exe).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Umbraco CMS 7.12.4

Auth required

Prerequisites: Authenticated administrator credentials · Access to the Umbraco CMS backoffice

MITRE ATT&CK

T1220 - XSL Script Processing T1059.003 - Windows Command Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 1 stars

by Ickarah · poc

https://github.com/Ickarah/CVE-2019-25137-Version-Research

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2019-25137, an XSLT injection vulnerability in Umbraco CMS. It includes a breakdown of the exploit mechanism, affected versions, and proof-of-concept payloads demonstrating remote code execution.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Umbraco CMS versions 4.11.8 to 7.15.10

Auth required

Prerequisites: Administrator credentials to Umbraco CMS · Access to the vulnerable xsltVisualize.aspx endpoint

MITRE ATT&CK

T1220 - XSL Script Processing

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by dact91 · poc

https://github.com/dact91/CVE-2019-25137-RCE

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-25137, an authenticated RCE vulnerability in Umbraco. The exploit leverages XSLT script injection to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Umbraco CMS

Auth required

Prerequisites: Valid Umbraco credentials · Access to the Umbraco backoffice interface

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://0xdf.gitlab.io/2020/09/05/htb-remote.html

Exploit, Third Party Advisory

https://github.com/Ickarah/CVE-2019-25137-Version-Research

Exploit, Third Party Advisory

https://github.com/noraj/Umbraco-RCE

View Exploit ZIP pw:eip

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/46153

Scores

CVSS v3 7.2

EPSS 0.0412

EPSS Percentile 89.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-91

Status published

Products (1)

umbraco/umbraco_cms 4.11.8 - 7.15.10

Published May 18, 2023

Tracked Since Feb 18, 2026