#VU105961 Improper Authorization in Umbraco CMS - CVE-2025-27601

Cybersecurity Help s.r.o.

Published: 2025-03-24

Vulnerability identifier: #VU105961

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-27601

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Umbraco CMS
Web applications / CMS

Vendor: Umbraco

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper API access control. A remote user can create and update data type information that should be restricted to users with access to the settings section.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Umbraco CMS: 14.3.0 - 14.3.2, 15.2.0 - 15.2.2

External links
https://github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cd
https://github.com/umbraco/Umbraco-CMS/commit/ebb6a580dc1da2c772a99838dc7b4660bf77eb9c
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6ffg-mjg7-585x

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authorization in Umbraco CMS