DNN.Platform - Information Disclosure (CVE-2025-52488)

CVE-2025-52488 is a vulnerability in DNN (DotNetNuke) versions 6.0.0 to before 10.0.1 that could allow attackers to expose NTLM hashes by leveraging specially crafted malicious interactions. This flaw could be exploited to facilitate credential theft or relay attacks by sending the hashes to a third-party SMB server. The issue has been addressed in version 10.0.1.

CrowdSec has been tracking this vulnerability and its exploits since 16th of July 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-52488 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-52488 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit the DNN file upload endpoint with crafted Unicode paths to trigger NTLM hash disclosure, targeting /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx with specific query parameters.