DNN.Platform - Information Disclosure (CVE-2025-52488)

CVE-2025-52488 is a vulnerability in DNN (DotNetNuke) versions 6.0.0 to before 10.0.1 that could allow attackers to expose NTLM hashes by leveraging specially crafted malicious interactions. This flaw could be exploited to facilitate credential theft or relay attacks by sending the hashes to a third-party SMB server. The issue has been addressed in version 10.0.1.

CrowdSec has been tracking this vulnerability and its exploits since 16th of July 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-52488 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec network telemetry also shows that exploitation of CVE-2025-52488 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit the DNN file upload endpoint with crafted Unicode paths to trigger NTLM hash disclosure, targeting /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx with specific query parameters.