CVE-2012-10054
Published: 13 August 2025
Summary
CVE-2012-10054 is a critical-severity Path Traversal (CWE-22) vulnerability in Umbraco Umbraco Cms. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Umbraco CMS versions prior to 4.7.1 are vulnerable to CVE-2012-10054, a critical unauthenticated remote code execution flaw (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) tied to CWE-22 (path traversal) and CWE-434 (code injection). The vulnerability affects the codeEditorSave.asmx SOAP endpoint, where the SaveDLRScript operation allows arbitrary file uploads without authentication. Attackers exploit a path traversal weakness in the fileName parameter to write malicious ASPX scripts directly into the web-accessible /umbraco/ directory for remote execution.
Unauthenticated remote attackers can exploit this over the network with low complexity and no user interaction. By crafting requests to the endpoint, they upload ASPX payloads that execute arbitrary code upon access, achieving high confidentiality, integrity, and availability impacts, including potential full server compromise.
Advisories and references point to upgrading to Umbraco CMS 4.7.1 or later for mitigation, as indicated by the archived CodePlex release. Public exploit code exists, including a Metasploit module for Windows HTTP exploitation and an Exploit-DB entry, underscoring active exploit availability.
Exploitation PoCs have been documented since around 2012, with the CVE formally published in 2025, reflecting late assignment for this legacy Umbraco CMS issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-6600
Vulnerability details
Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter,…
more
attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via arbitrary ASPX upload to public web directory on Umbraco CMS enables T1190 (public-facing app exploitation) and T1505.003 (web shell deployment/execution).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by identifying, reporting, and correcting the vulnerable codeEditorSave.asmx endpoint through patching to Umbraco CMS 4.7.1 or later.
Validates inputs like the fileName parameter to block path traversal flaws (CWE-22) that enable writing malicious files to web-accessible directories.
Enforces authentication and authorization on the SaveDLRScript operation to prevent unauthenticated remote file uploads leading to code execution.