CVE-2025-49147 in Umbraco
Summary
by MITRE • 06/24/2025
Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password. This information was not exposed in Umbraco 7 or 8, nor in 14 or higher versions. The vulnerability is patched in versions 10.8.11 and 13.9.2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2025
This vulnerability exists within Umbraco content management system versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1 where an anonymous attacker can exploit a misconfigured endpoint to extract password policy information. The flaw manifests through a request to an endpoint that should not expose authentication-related configuration details to unauthenticated users. This represents a classic information disclosure vulnerability that violates the principle of least privilege and could enable credential stuffing or brute force attacks against user accounts. The vulnerability specifically affects versions that were released during the 10.x and 13.x release cycles, while older versions 7 and 8, as well as newer 14.x releases, properly restrict this information disclosure. The technical implementation appears to involve insufficient access controls on a password policy endpoint that should only be accessible to authenticated administrators or system processes.
The operational impact of this vulnerability extends beyond simple information exposure as it provides attackers with specific details about password complexity requirements that could significantly reduce the effectiveness of brute force or dictionary attacks. While the information disclosed is limited to password policy parameters rather than actual user credentials or system secrets, it creates a valuable intelligence payload for threat actors attempting to compromise user accounts. This vulnerability aligns with CWE-200 - Information Exposure and represents a weakness in the application's authorization mechanisms that allows unauthorized access to sensitive configuration data. The exposure of password requirements could enable attackers to craft more effective password guessing strategies, particularly when combined with other reconnaissance activities and user enumeration techniques.
Security practitioners should consider this vulnerability in the context of broader attack patterns documented in the MITRE ATT&CK framework, specifically within the credential access and reconnaissance domains where attackers seek to understand system defenses before launching more sophisticated attacks. The vulnerability demonstrates poor input validation and access control implementation that could be exploited in conjunction with other weaknesses to escalate privileges or gain unauthorized access to user accounts. Organizations running affected Umbraco versions should prioritize patching to version 10.8.11 or 13.9.2 where the access controls have been properly implemented to prevent anonymous users from accessing password policy information. The fix implemented in these patched versions likely involves strengthening endpoint authorization checks and ensuring that password policy configuration data is only accessible through proper authentication mechanisms, thereby protecting against unauthorized information disclosure that could facilitate subsequent attacks.