CVE-2025-32372: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A critical vulnerability (CVE-2025-32372) was identified as a bypass for the previously known vulnerability CVE-2017-0929. The vulnerability was discovered and disclosed on April 9, 2025, affecting versions prior to 9.13.8. This security flaw allows unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks (NVD, GitHub Advisory).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) attack with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring No privileges (PR:N) but does need User interaction (UI:R). The scope is Unchanged (S:U), with No impact on confidentiality (C:N), High impact on integrity (I:H), and No impact on availability (A:N). The vulnerability is tracked under CWE-918 (Server-Side Request Forgery) (GitHub Advisory).

This vulnerability facilitates a semi-blind SSRF attack, enabling attackers to make the target server send requests to internal or external URLs without viewing the full responses. The main impacts include internal network reconnaissance and the potential to bypass firewalls, which could lead to unauthorized access to internal systems (GitHub Advisory).

The vulnerability has been fixed in DNN version 9.13.8. Users are strongly advised to upgrade to this version or later to protect against this security flaw (GitHub Advisory, GitHub Commit).