Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Umbraco Umbraco Cms CVE-2025-24011

Name: Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Umbraco Umbraco Cms CVE-2025-24011
Rating: 5 (118 reviews)

2025-03-21 | CVSS 5.3

## https://sploitus.com/exploit?id=CAAC7F26-0CE4-5846-9673-F88207C11DBB
Proof of concept for CVE-2025-24011 based on https://github.com/advisories/GHSA-hmg4-wwm5-p999

This toool has been tested on Umbraco version 15.1.1 and 13.7.2 on Ubuntu 24.04.2 LTS

Usernames in Umbraco are (as I understand it) e-mails.

This tools accepts a list of "usernames" (-f) and a url (-u) eg. https://192.168.122.215:8443

*example usage*

`python3 poc.py -f emails.txt -u https://192.168.122.215:8443`

# LAB SETUP

*install .NET SDK 9.0 manually*
```
wget https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/sdk-9.0.100-linux-x64-binaries
sudo mkdir -p /usr/local/dotnet
sudo tar -xvf dotnet-sdk-8.0.407-linux-x64.tar.gz -C /usr/local/dotnet/

export PATH="/usr/local/dotnet:$PATH"
export DOTNET_ROOT="/usr/local/dotnet"

dotnet new install Umbraco.Templates::15.1.1
dotnet new umbraco -n MyCustomUmbracoProject

cd MyCustomUmbracoProject
dotnet build
dotnet run --urls "https://0.0.0.0:8443"

```

*enable locked out user in sqlite database*
`update umbracoUser set userNoConsole = 0 where id == -1;`

# NOTES
- This tool performs incorrect login attempts and can potentially lockout a user if too many incorrect attempts are made for an existing user (default is 5 wrong password attempts pr. user)
- This technique will not work if the user is locked out
- The tool is observed to report false positives but the "factor" can be adjusted if too many false positives are reported.
- All credits to the CVE-holder (I beleive https://github.com/AndyButland)