CVE-2025-24011
Published: 21 January 2025
Summary
CVE-2025-24011 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Umbraco Umbraco Cms. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Gather Victim Identity Information (T1589); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-6 (Authentication Feedback) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 Flaw Remediation directly addresses this CVE by requiring timely identification, testing, and installation of patches that fix the differential response codes and timing in Umbraco management API.
IA-6 Authentication Feedback requires obscuring feedback of authentication status, preventing enumeration of valid accounts through observable differences in response codes and timing.
SI-11 Error Handling ensures error messages do not reveal sensitive information like account existence via varying response codes in the management API.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables external enumeration of valid user accounts via observable response differences, directly mapping to T1589 Gather Victim Identity Information. It facilitates targeted brute-force attacks by identifying existing accounts, mapping to T1110.001 Password Guessing.
NVD Description
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of…
more
Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.
Deeper analysisAI
CVE-2025-24011 is an information disclosure vulnerability in Umbraco, a free and open source .NET content management system. It affects versions starting from 14.0.0 up to but not including 14.3.2 and 15.1.2, where attackers can determine whether a user account exists by analyzing response codes and timing differences in the Umbraco management API responses. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-203 (Observable Timing Discrepancy), with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By sending crafted requests to the management API, they can enumerate valid account existence through observable differences in response codes and timing, potentially aiding further attacks like targeted brute-force attempts or phishing.
The Umbraco security advisory (GHSA-hmg4-wwm5-p999) and associated GitHub commits (559c6c9f312df1d6eb1bde82c4b81c0896da6382 and 839b6816f2ae3e5f54459a0f09dad6b17e2d1e07) confirm patches in versions 14.3.2 and 15.1.2. No workarounds are available, so administrators should upgrade affected installations immediately.
Details
- CWE(s)