CVE-2025-32017
Published: 08 April 2025
Summary
CVE-2025-32017 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Umbraco Umbraco Cms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10387
Vulnerability details
Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects…
more
Umbraco 14+ and is patched in 14.3.4 and 15.3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in Umbraco management API enables authenticated users to upload files to arbitrary locations, facilitating exploitation of public-facing web applications (T1190) and deployment of web shells for remote code execution (T1100).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.