CVE-2025-24011
Published: 21 January 2025
Description
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Security Summary
CVE-2025-24011 is an information disclosure vulnerability in Umbraco, a free and open source .NET content management system. It affects versions starting from 14.0.0 up to but not including 14.3.2 and 15.1.2, where attackers can determine whether a user account exists by analyzing response codes and timing differences in the Umbraco management API responses. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-203 (Observable Timing Discrepancy), with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By sending crafted requests to the management API, they can enumerate valid account existence through observable differences in response codes and timing, potentially aiding further attacks like targeted brute-force attempts or phishing.
The Umbraco security advisory (GHSA-hmg4-wwm5-p999) and associated GitHub commits (559c6c9f312df1d6eb1bde82c4b81c0896da6382 and 839b6816f2ae3e5f54459a0f09dad6b17e2d1e07) confirm patches in versions 14.3.2 and 15.1.2. No workarounds are available, so administrators should upgrade affected installations immediately.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables external enumeration of valid user accounts via observable response differences, directly mapping to T1589 Gather Victim Identity Information. It facilitates targeted brute-force attacks by identifying existing accounts, mapping to T1110.001 Password Guessing.