CVE-2020-9472

Vulnerability

Overview

CVE-2020-9472 affects Umbraco CMS version 8.5.3, where the Install Package functionality does not properly validate uploaded files. An authenticated attacker can upload a malicious package file (e.g., a .zip archive containing ASPX or other executable code) that the CMS subsequently processes, leading to arbitrary code execution on the server [1].

Exploitation

Prerequisites

Exploitation requires an authenticated session in the Umbraco backoffice with sufficient privileges to access the package installation feature. An attacker can craft a package containing a webshell or other executable payload and upload it via the standard package upload interface [1]. No additional network position is necessary beyond normal authenticated access.

Impact

Assessment

Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the web application, potentially leading to full compromise of the Umbraco instance and underlying server. This can result in data exfiltration, lateral movement, or further attacks against connected systems [1].

Mitigation

Status

A proof of concept exploit has been publicly released. Users should upgrade to a patched version of Umbraco CMS beyond 8.5.3 as soon as possible. No official advisory from Umbraco was included in the NVD reference; however, mitigation involves restricting package upload permissions or applying vendor-supplied updates [1].