Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24011 PoC — Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes

Source
https://github.com/Puben/CVE-2025-24011-PoC
Associated Vulnerability
Title:Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes (CVE-2025-24011)
Description:Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.
Description
Umbraco User Enum - CVE-2025-24011 PoC
Readme
Proof of concept for CVE-2025-24011 based on https://github.com/advisories/GHSA-hmg4-wwm5-p999

This toool has been tested on Umbraco version 15.1.1 and 13.7.2 on Ubuntu 24.04.2 LTS

Usernames in Umbraco are (as I understand it) e-mails.

This tools accepts a list of "usernames" (-f) and a url (-u) eg. https://192.168.122.215:8443

*example usage*

`python3 poc.py -f emails.txt -u https://192.168.122.215:8443`

# LAB SETUP

*install .NET SDK 9.0 manually*
```
wget https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/sdk-9.0.100-linux-x64-binaries
sudo mkdir -p /usr/local/dotnet
sudo tar -xvf dotnet-sdk-8.0.407-linux-x64.tar.gz -C /usr/local/dotnet/

export PATH="/usr/local/dotnet:$PATH"
export DOTNET_ROOT="/usr/local/dotnet"

dotnet new install Umbraco.Templates::15.1.1
dotnet new umbraco -n MyCustomUmbracoProject

cd MyCustomUmbracoProject
dotnet build
dotnet run --urls "https://0.0.0.0:8443"

```

*enable locked out user in sqlite database*
`update umbracoUser set userNoConsole = 0 where id == -1;`

# NOTES
- This tool performs incorrect login attempts and can potentially lockout a user if too many incorrect attempts are made for an existing user (default is 5 wrong password attempts pr. user)
- This technique will not work if the user is locked out
- The tool is observed to report false positives but the "factor" can be adjusted if too many false positives are reported.
- All credits to the CVE-holder (I beleive https://github.com/AndyButland)
File Snapshot

 [4.0K]  /data/pocs/e0b91a2525eee12d2cab60bc5e1103def126061d
├── [4.2K]  poc.py
└── [1.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →