Cyber Resilience

CVE-2012-10054

CriticalPublic PoC

Published: 13 August 2025

Published
13 August 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8378 99.3th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-10054 is a critical-severity Path Traversal (CWE-22) vulnerability in Umbraco Umbraco Cms. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Umbraco CMS versions prior to 4.7.1 are vulnerable to CVE-2012-10054, a critical unauthenticated remote code execution flaw (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) tied to CWE-22 (path traversal) and CWE-434 (code injection). The vulnerability affects the codeEditorSave.asmx SOAP endpoint, where the SaveDLRScript operation allows arbitrary file uploads without authentication. Attackers exploit a path traversal weakness in the fileName parameter to write malicious ASPX scripts directly into the web-accessible /umbraco/ directory for remote execution.

Unauthenticated remote attackers can exploit this over the network with low complexity and no user interaction. By crafting requests to the endpoint, they upload ASPX payloads that execute arbitrary code upon access, achieving high confidentiality, integrity, and availability impacts, including potential full server compromise.

Advisories and references point to upgrading to Umbraco CMS 4.7.1 or later for mitigation, as indicated by the archived CodePlex release. Public exploit code exists, including a Metasploit module for Windows HTTP exploitation and an Exploit-DB entry, underscoring active exploit availability.

Exploitation PoCs have been documented since around 2012, with the CVE formally published in 2025, reflecting late assignment for this legacy Umbraco CMS issue.

EU & UK References

Vulnerability details

Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter,…

more

attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct unauthenticated RCE via arbitrary ASPX upload to public web directory on Umbraco CMS enables T1190 (public-facing app exploitation) and T1505.003 (web shell deployment/execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24011Same product: Umbraco Umbraco Cms
CVE-2026-31834Same product: Umbraco Umbraco Cms
CVE-2025-2749Shared CWE-22, CWE-434
CVE-2024-13986Shared CWE-22, CWE-434
CVE-2026-9102Shared CWE-22, CWE-434
CVE-2025-67506Shared CWE-22, CWE-434
CVE-2026-44566Shared CWE-22, CWE-434
CVE-2026-22786Shared CWE-22, CWE-434
CVE-2022-50939Shared CWE-22, CWE-434
CVE-2025-35055Shared CWE-22, CWE-434

Affected Assets

umbraco
umbraco cms
≤ 4.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, reporting, and correcting the vulnerable codeEditorSave.asmx endpoint through patching to Umbraco CMS 4.7.1 or later.

prevent

Validates inputs like the fileName parameter to block path traversal flaws (CWE-22) that enable writing malicious files to web-accessible directories.

prevent

Enforces authentication and authorization on the SaveDLRScript operation to prevent unauthenticated remote file uploads leading to code execution.

References