CVE-2025-64095: Critical CVSS 10.0 Flaw in DNN Platform Allows Unauthenticated Website Overwrite

The DNN Platform, a leading open-source Content Management System (CMS) in the Microsoft ecosystem, is urging its global user base of over 750,000 websites to update immediately following the disclosure of a critical vulnerability: CVE-2025-64095.

This flaw, a classic case of Insufficient Access Control, has been assigned the maximal severity score of CVSS 10.0. This rating signifies a flaw that is easy to exploit, requires no privileges, and leads to a complete compromise of the system’s confidentiality, integrity, and availability.

The vulnerability resides within the default HTML editor provider included with the DNN Platform. The mechanism of the attack is alarmingly simple and requires no authentication whatsoever.

The core issue is that the editor allows an unauthenticated user to upload a file and, critically, this uploaded file can be used to overwrite existing files on the server.

An attacker can exploit this file overwrite ability to achieve full compromise of the website by replacing core files. The most direct consequence is defacing a website. When combined with other common vulnerabilities, this can enable the injection of Cross-Site Scripting (XSS) payloads, which can be stored and served to other users (including administrators) for session hijacking and credential theft.

All administrators running the DNN Platform must treat this advisory with the highest urgency.

Affected Versions: All versions prior to 10.1.1 are vulnerable.
Required Fix: Update immediately to DNN Platform version 10.1.1.

Given the severity, site owners are advised to check their file logs for any unauthorized, suspicious file uploads or modifications if they were running an unpatched version.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply