A critical vulnerability has been identified in Umbraco CMS, designated CVE-2025-67288. This flaw allows an unauthenticated attacker to upload a malicious file, leading to arbitrary code execution and a complete compromise of the affected server. Due to its maximum CVSS score of 10.0, this vulnerability poses a severe and immediate threat to the confidentiality, integrity, and availability of the system.

The vulnerability is an arbitrary file upload flaw within the Umbraco CMS. The application fails to properly validate files uploaded to the server, specifically crafted PDF files. An unauthenticated attacker can create a malicious file (e.g., a web shell) and disguise it as a PDF, bypassing the system's file type checks. Once the file is uploaded to a web-accessible directory on the server, the attacker can then access it via a URL to execute the embedded code with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 10.0, representing the highest possible risk. Successful exploitation grants an attacker complete control over the web server, enabling them to execute arbitrary code. Potential consequences include theft of sensitive data (customer information, credentials, intellectual property), website defacement, deployment of ransomware, or using the compromised server as a pivot point to attack other internal network resources. This poses a direct and severe risk to business operations, brand reputation, and data security.

Immediate Action: Immediately update all instances of Umbraco CMS to the latest patched version as recommended by the vendor. After applying the update, it is crucial to monitor for any signs of post-remediation exploitation attempts and thoroughly review historical access logs for indicators of compromise that may have occurred prior to patching.

Proactive Monitoring: Monitor web server logs (e.g., IIS logs) for unusual POST requests to file upload endpoints and for direct requests to non-standard files (e.g., .aspx, .ashx) in media or upload directories. Implement File Integrity Monitoring (FIM) to alert on the creation of new, unauthorized executable files in web directories. Monitor for anomalous processes spawned by the web server's worker process (e.g., w3wp.exe).

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with strict rules to inspect and block malicious file uploads.
• Disable anonymous or public file upload functionality if not essential for business operations.
• Configure the web server to deny script execution permissions in all directories where file uploads are stored.
• Enhance egress filtering to block unexpected outbound connections from the web server.

Public Exploit Available: False

Given the critical severity (CVSS 10.0) of this vulnerability, which allows for unauthenticated remote code execution, immediate action is required. Although CVE-2025-67288 is not currently listed on the CISA KEV catalog, its high impact and low attack complexity make it a prime target for opportunistic and sophisticated threat actors. We strongly recommend patching all vulnerable Umbraco CMS instances on an emergency basis, without delay. If patching is not feasible, the compensating controls listed above must be implemented immediately while actively hunting for any indicators of compromise.