Major Release

The Long-Term Supported version of Umbraco is here

Umbraco 17 LTS release →
Book a discovery call
Book a discovery call

Security Advisory, December 9, 2025: Security Patch is now available

Andy Butland
Written by Andy Butland

Summary: A moderate vulnerability has been found and fixed in Umbraco 13. Today, we have released a patch for the affected version and recommend upgrading. Projects hosted on Umbraco Cloud will receive the fix automatically.

Who’s affected?

Versions affected:

  • Umbraco 13.0.0 - 13.12.0

Unsupported versions can be subject to the vulnerability, but will not receive a patch. We recommend upgrading to a supported major version.

How to fix the vulnerability

A patch is available for the latest minor version of Umbraco 13. As we are looking at a patch upgrade, and the fix is straightforward, we expect the update to only require minimal effort per project.

Instructions on patch availability and how to upgrade can be found in the release notes for Umbraco 13.12.1.

Automatic fix on Umbraco Cloud

All Umbraco Cloud sites running the latest minor version of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed.

If a project is not running the latest minor version (13.12.x), the patch can be applied using the minor upgrade feature.

Screenshot form the Umbraco Cloud Portal showing the option to turn on Automatic Minor Upgrades

ℹ️ Note that Umbraco Cloud also supports automated minor upgrades. This can be enabled on a per-project level and ensures you're always ready to receive the latest patch.

What we know about the vulnerability

The vulnerability is found in the feature that allows upload of dictionary and content types from .udt files.  If certain conditions are in place, and a manipulated request is made to the endpoints that process the uploads, the possibility exists to:

  • Enumerate the file system to determine the existence of specific files.

  • Obtain the NLTM hash of the user account used on the application pool.

We have evaluated this as a moderate vulnerability.

There are mitigations to be aware of that you may consider lowers the practical risk.

  • The vulnerability can only be exploited within the context of an authenticated backoffice user, and as such a compromised or rogue account is first necessary.

  • The NLTM hash could only be practically used to obtain the credentials associated with the application pool if the password used on the account is weak.

  • Even if the credentials are obtained, the level of access will be limited by that given to the application pool account.

You can read more on the published security advisory.

Credit

We'd like to thank Tomasz Holeksa at Pentest Limited for reporting the issue and responsible disclosure of details regarding the vulnerability.

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisories. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.

For direct communication related to security in Umbraco products, please sign up for the dedicated security mailing list.

  • Published: December 9, 2025
  • Read time: 3 min. read
  • Category: Security