More
Choose

Umbraco Medium Security Vulnerability - 9th December 2025

Security patch is now available for Umbraco versions 13

Read Post
Category:  Umbraco
Posted:  9th December 2025

Umbraco has identified a medium-severity security issue with Umbraco 13. This vulnerability may allow users to enumerate the file system to determine the existence of specific files and obtain the NTLM has of the user account used by the application pool.

A patch has been released for Umbraco 13 of the CMS, unsupported versions can be subject to the vulnerability but will not receive a patch, we advise that the patches be applied as soon as possible.

The security issue is not publicly known.

Which versions are affected?

Versions affected: Umbraco 13.0.0 - 13.12.0

How to fix the issue

A patch is available for the latest minor version of Umbraco 13. As we are looking at a patch upgrade, and the fix is straightforward, we expect the update to only require minimal effort per project.

Instructions on patch availability and how to upgrade can be found in the release notes for Umbraco 13.12.1.

Please reach out to the agency or developer responsible for your website, alternatively please reach out to us if you are interested in our patching and support SLA.

What's known about the vulnerability

The vulnerability is found in the feature that allows upload of dictionary and content types from .udt files. If certain conditions are in place, and a manipulated request is made to the endpoints that process the uploads, the possibility exists to:

  • Enumerate the file system to determine the existence of specific files.

  • Obtain the NLTM hash of the user account used on the application pool.

We have evaluated this as a moderate vulnerability.

  • There are mitigations to be aware of that you may consider lowers the practical risk.

  • The vulnerability can only be exploited within the context of an authenticated backoffice user, and as such a compromised or rogue account is first necessary.

  • The NLTM hash could only be practically used to obtain the credentials associated with the application pool if the password used on the account is weak.

  • Even if the credentials are obtained, the level of access will be limited by that given to the application pool account.

You can read more on the published security advisory.

Further details

You can read more about the vulnerabilites on the Umbraco blog here.