What is CVE-2025-64095
CVE-2025-64095 is a critical unauthenticated file-upload vulnerability affecting DNN (DotNetNuke) versions prior to 10.1.1. The flaw exists in the platform’s default HTML editor provider, where upload validation and authorization checks were insufficient. Attackers can upload files and overwrite existing content without credentials, enabling page defacement, malicious script injection, and in some environments stored cross-site scripting (XSS). Internet-exposed DNN instances are the most at risk, especially where the upload endpoint is publicly reachable and running a default configuration.
What assets are affected by CVE-2025-64095
Any external-facing DNN deployment running a version below 10.1.1 is vulnerable.Organizations most exposed include those operating:
- Public corporate sites and marketing portals
- Customer, partner, or supplier access portals
- Externally published intranet systems
- Legacy DNN instances hosted on shared or unmanaged infrastructure
Environments with default HTML editor settings or weak upload controls face increased risk.
Are fixes available?
Yes. DNN resolved the issue in version 10.1.1, correcting upload authorization and validation logic.
Upgrading to version 10.1.1 or later is the recommended and most reliable method to mitigate the vulnerability. Organizations relying on hosted or third-party environments should confirm the provider has applied the fix.
Are there any other recommended actions to take?
Restrict or disable HTML editor upload endpoints
- Enforce authentication at the application and web server levels
- Apply WAF rules to inspect and block suspicious multipart upload requests
- Harden file permissions to prevent overwriting core application files
- Monitor logs for unexpected POST requests or abnormal file changes
These controls reduce the attack surface and provide time to complete patching.
Is CVE-2025-64095 being actively exploited?
Widespread exploitation has not yet been confirmed. However, the vulnerability is easy to abuse, publicly documented, and scanning activity has already begun. With exploitation requiring no authentication and minimal technical skill, unpatched public DNN systems should be considered at risk and prioritized for remediation.
How is CyCognito helping customers identify assets vulnerable to CVE-2025-64095
CyCognito continuously discovers and fingerprints every internet-facing asset, including websites and portals running DNN. The platform automatically identifies versions below 10.1.1, surfaces exposed file-upload endpoints, and checks whether they are reachable without authentication. It also correlates technical exposure with business context, so security teams can quickly see whether a vulnerable DNN system sits on a high-value domain, handles customer traffic, or connects to sensitive applications. CyCognito published an emerging threat advisory within the CyCognito platform on November 3, 2025 and is actively researching enhanced detection capabilities for this vulnerability. This helps teams act fast, focus on the assets that matter most, and shrink the window before attackers begin probing the same systems.
Check out CyCognito’s Emerging Threats page for more information on potentially relevant vulnerabilities.
How can CyCognito help your organization?
CyCognito helps you find every externally exposed DNN asset, including those you didn’t know existed, then verifies whether they’re actually vulnerable rather than generating noise. By tying exposure to business context, CyCognito shows which systems matter most so security teams can focus on the real risk first, track remediation progress, and continuously monitor for re-exposure as environments change. If your external footprint includes DNN-based portals, make sure they are upgraded to version 10.1.1 or later and restrict upload access. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.
