CVE-2025-49147 is a medium-severity vulnerability affecting Umbraco CMS versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Umbraco is a widely used open-source .NET content management system. This vulnerability involves the exposure of sensitive system information related to password requirements via an anonymously accessible endpoint. Specifically, an unauthenticated attacker can send a request to this endpoint and retrieve details about the configured password policies. Although the exposed information is limited, it can aid an attacker in refining brute-force or password-guessing attacks by providing insight into password complexity rules such as minimum length, required character types, or other constraints. This vulnerability does not allow direct access to user credentials or other sensitive data but leaks metadata that reduces the effort needed to compromise user accounts. The flaw is present only in specific Umbraco versions (10.x and 13.x branches) and was not found in earlier versions 7 or 8, nor in version 14 or later. The issue has been patched in versions 10.8.11 and 13.9.2. The CVSS v3.1 base score is 5.3, indicating a medium risk, with an attack vector of network (remote), no privileges required, no user interaction needed, and impact limited to confidentiality (partial information disclosure). There are no known exploits in the wild at this time. The vulnerability is classified under CWE-497, which concerns exposure of sensitive system information to unauthorized entities, potentially aiding further attacks.

For European organizations using affected Umbraco CMS versions, this vulnerability poses a moderate risk primarily to the confidentiality of password policy information. While it does not directly compromise user credentials or system integrity, the leaked password requirements can facilitate more effective brute-force or credential-stuffing attacks against user accounts. This can increase the likelihood of account compromise, especially if users employ weak or reused passwords. Organizations with public-facing Umbraco CMS installations are particularly at risk since the vulnerable endpoint is anonymously accessible over the network. The impact is more pronounced for entities managing sensitive or critical web content, such as government portals, financial institutions, healthcare providers, and large enterprises, where account compromise could lead to data breaches or service disruptions. However, since the vulnerability does not affect availability or integrity directly, the immediate operational impact is limited. The absence of known exploits reduces the urgency but does not eliminate the risk, as attackers could develop exploits leveraging this information disclosure. Overall, the vulnerability lowers the security posture of affected systems and increases the attack surface for credential-based attacks.

1. Upgrade affected Umbraco CMS installations to patched versions 10.8.11 or later for the 10.x branch, and 13.9.2 or later for the 13.x branch. This is the most effective and recommended mitigation. 2. If immediate upgrade is not feasible, implement network-level access controls to restrict access to the vulnerable endpoint, such as web application firewall (WAF) rules or reverse proxy filtering, limiting requests to trusted IP ranges or authenticated users only. 3. Enforce strong password policies and encourage or require multi-factor authentication (MFA) for all user accounts to reduce the risk of brute-force attacks succeeding even if password policy information is known. 4. Monitor authentication logs for unusual login attempts or brute-force patterns, and implement rate limiting or account lockout mechanisms to mitigate automated attacks. 5. Conduct security awareness training for administrators and users about the risks of password reuse and phishing, which can compound the threat. 6. Regularly audit and update CMS components and dependencies to ensure timely application of security patches. 7. Consider deploying anomaly detection tools to identify suspicious access patterns to the CMS or its endpoints. These targeted mitigations go beyond generic advice by focusing on compensating controls and layered defenses tailored to the nature of this information disclosure vulnerability.