Umbraco CMS, an ASP.NET-based content management system, suffers from a vulnerability (CVE-2025-66625) affecting versions 10.0.0 up to but not including 13.12.1. The root cause lies in the unsafe handling and deletion of temporary files generated during the dictionary upload process. An attacker with legitimate backoffice credentials can send crafted requests targeting predictable temporary file paths. The server's error responses differ based on whether the file exists: HTTP 500 if the file is present and HTTP 404 if absent. This discrepancy allows the attacker to enumerate arbitrary files on the server filesystem, revealing sensitive information about the server environment. Although direct reading or modification of file contents is not possible, in some configurations, incomplete cleanup of temporary files can inadvertently expose the NTLM hash of the Windows account under which the Umbraco application runs. This hash exposure could facilitate offline brute-force attacks to recover credentials, potentially leading to privilege escalation or lateral movement within the network. The vulnerability requires authenticated access to the backoffice, does not require user interaction, and has a CVSS v3.1 base score of 4.9 (medium severity), reflecting its moderate impact on confidentiality without affecting integrity or availability. The issue was publicly disclosed on December 9, 2025, and is addressed in Umbraco CMS version 13.12.1.

For European organizations using affected versions of Umbraco CMS, this vulnerability poses a risk of sensitive information exposure through file enumeration and potential NTLM hash leakage. Attackers with backoffice access could map the server filesystem, gaining insights into server configuration and potentially identifying further attack vectors. Exposure of NTLM hashes is particularly concerning in Windows-dominant environments common in Europe, as it can lead to credential compromise and lateral movement within corporate networks. This can result in unauthorized access to sensitive data, disruption of services, and increased risk of broader compromise. Organizations in sectors with high regulatory requirements, such as finance, healthcare, and government, face increased compliance risks if such exposures lead to data breaches. The requirement for authenticated access limits the threat to insiders or attackers who have already compromised user credentials, but the ease of file enumeration and hash exposure increases the risk of privilege escalation and extended network compromise.

European organizations should immediately upgrade all Umbraco CMS instances to version 13.12.1 or later to remediate this vulnerability. Until upgrades are applied, restrict backoffice access strictly to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Implement rigorous monitoring and alerting on backoffice access and unusual file system activity to detect exploitation attempts. Review and harden server configurations to ensure temporary files are securely handled and cleaned up promptly, minimizing residual sensitive data exposure. Consider network segmentation to isolate CMS servers from critical infrastructure and limit lateral movement opportunities. Additionally, audit Windows account privileges running the Umbraco application to follow the principle of least privilege, reducing the impact of potential NTLM hash exposure. Regularly update and patch all related infrastructure components and conduct penetration testing focusing on file enumeration and credential exposure vectors.