The CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2025-64095, a cross-site scripting vulnerability in the DNN Platform (formerly DotNetNuke). CVE-2025-64095 allows attackers to upload arbitrary files to DNN without requiring any authentication checks. It also allows attackers to overwrite existing files in the filesystem. As DNN is often used as a public-facing CMS, this vulnerability could lead to website defacing, a tactic often used by ransomware groups. Attackers could also execute cross-site scripting attacks by uploading arbitrary scripts that might be executed in the browsers of users. CrowdSec intelligence has identified approximately 30 distinct IP addresses probing for this vulnerability. The vulnerability affects all versions of DNN 10.1.1.
CrowdSec’s key findings on CVE-2025-64095
- The vulnerability was published to NVD on October 28, 2025. CrowdSec started tracking active exploitation on November 27, 2025, with the first attacks detected almost immediately after.
- Exploitation attempts were discovered almost immediately after the release of the detection rule, suggesting ongoing exploitation campaigns.
- While detailed write-ups of the vulnerability don’t exist yet, proof-of-concept code has been shared publicly. Combined with the information about attacks detected by CrowdSec, we conclude that exploitation is very likely.
What is the DNN Platform?
DNN is an open-source content management system (CMS) based on the Microsoft .NET framework. According to its creators, it is the backbone for thousands of corporate websites, intranets, and public-facing portals, and a popular choice for SMBs within the European market. It is typically managed by IT teams and web administrators in organizations that rely heavily on the Microsoft ecosystem, making it the WordPress of the Microsoft ecosystem. Due to the mostly non-technical nature of its users, it is quite likely that attacks on DNN are caught quite late, making quick remediation and patching a priority.Â
About the exploit
There is no detailed public write-up available for CVE-2025-64095. It appears that the vulnerability was found, disclosed, and quickly fixed by the developers of DNN themselves. By looking at the change sets within the code, we can still provide some analysis. The vulnerability itself lies in the default HTML editor provider. Specifically, the FileUploader.ashx endpoint allows unauthenticated users to upload files to the server. What’s worse is that the endpoint also fails to check if a file already exists, allowing attackers to overwrite existing files and scripts. This makes website defacement trivially easy, as existing images and articles are saved as files to this filesystem. The ability to overwrite arbitrary files on the server also opens the door to an additional set of attacks, including a potential RCE if attackers manage to overwrite executable code or configuration files.
Trend analysis
Detection for this vulnerability was added only recently. As a consequence, it is a bit too early to give a good assessment of the long-term trends of exploitation activity. However, the data indicates that proof-of-concept code is likely circulating widely. From the data we have, it also seems likely that current attacks are mostly caused by automated scanners that are opportunistically attacking random servers with multiple different attacks.
How to protect your systems
If you are running DNN Platform versions before 10.1.1, you are vulnerable.
- Patch: Upgrade to DNN Platform 10.1.1 or later. This version fixes the unrestricted file upload issue. The patch was released on the 25th of September.
- Stay Proactive: If you cannot patch immediately, you can mitigate the risk by using tools such as the CrowdSec WAF to block access to the vulnerable endpoint.
You can learn more about this vulnerability and the information we have gathered by checking out our CVE Explorer page.