#VU105962 Improper Authorization in Umbraco CMS - CVE-2025-27602

Cybersecurity Help s.r.o.

Published: 2025-03-24

Vulnerability identifier: #VU105962

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-27602

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Umbraco CMS
Web applications / CMS

Vendor: Umbraco

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper API access control. A remote user can manipulate backoffice API URLs and retrieve or delete content or media.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Umbraco CMS: 10.8.0 - 10.8.8, 13.0.0 - 13.7.0

External links
https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7
https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authorization in Umbraco CMS