CVE-2025-66625 affects Umbraco CMS, an ASP.NET-based content management system widely used for web content management. The vulnerability stems from improper handling and deletion of temporary files created during the dictionary upload process in versions 10.0.0 through 13.12.0. An attacker with authenticated backoffice access can send crafted requests targeting predictable temporary file paths. The application’s error responses differ based on whether the targeted temporary file exists: HTTP 500 if the file exists and HTTP 404 if it does not. This discrepancy allows the attacker to enumerate the presence of arbitrary files on the server’s filesystem, effectively exposing sensitive information about the server environment. While the vulnerability does not permit reading or modifying file contents directly, certain configurations where temporary upload files are not fully cleaned up may inadvertently expose the NTLM hash of the Windows account under which the Umbraco application runs. This NTLM hash exposure is critical because it can be used in offline brute-force attacks or relay attacks to compromise credentials. The vulnerability requires the attacker to have valid backoffice credentials, meaning it is not exploitable by unauthenticated users. No user interaction is required beyond the attacker’s own actions. The vulnerability has a CVSS 3.1 base score of 4.9 (medium severity), reflecting its moderate impact and the requirement for privileged access. The issue was publicly disclosed on December 9, 2025, and fixed in Umbraco CMS version 13.12.1.

For European organizations using Umbraco CMS versions 10.0.0 through 13.12.0, this vulnerability poses a risk of sensitive information exposure through file enumeration and potential NTLM hash leakage. File enumeration can aid attackers in mapping the server filesystem, identifying sensitive files, or discovering configuration files that could facilitate further attacks. Exposure of NTLM hashes is particularly concerning in Windows environments common in Europe, as it can lead to credential compromise, lateral movement, and privilege escalation within corporate networks. Organizations with strict data protection requirements under GDPR may face compliance risks if sensitive information is leaked. The requirement for authenticated backoffice access limits the threat to insiders or attackers who have already compromised credentials, but the vulnerability could be exploited by malicious insiders or attackers who have gained backoffice access through phishing or credential theft. The lack of known exploits in the wild reduces immediate risk, but organizations should act promptly to patch and mitigate. The impact on availability and integrity is minimal, but confidentiality is significantly affected due to information disclosure and credential exposure.

European organizations should immediately upgrade Umbraco CMS to version 13.12.1 or later to remediate this vulnerability. Until patching is possible, restrict backoffice access strictly to trusted personnel and enforce strong multi-factor authentication (MFA) to reduce the risk of credential compromise. Review and harden file system permissions to limit access to temporary upload directories and ensure proper cleanup of temporary files. Monitor server logs for unusual HTTP 500 and 404 error patterns that could indicate file enumeration attempts. Implement network segmentation to isolate CMS servers from critical internal systems, reducing the impact of potential credential exposure. Conduct regular audits of backoffice user accounts and revoke unnecessary privileges. Employ Windows security best practices to protect NTLM hashes, such as enabling SMB signing and restricting NTLM usage where feasible. Finally, educate staff about phishing and credential security to prevent initial backoffice compromise.