External risk intelligence

Umbraco Forms Unauthenticated Arbitrary Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2021-33224

Umbraco Forms is a component of a web content management system, which is typically deployed as a public-facing web application. Since it handles form submissions directly from web users, it is commonly exposed to the public internet in standard deployment patterns.

Unrestricted File Upload

Umbraco Forms

8.7.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Umbraco Forms affecting version 8.7.0, allowing unauthenticated attackers to execute arbitrary code on affected systems. This is concerning because Umbraco Forms are often used on public-facing websites. The main concern is confirming relevance and exposure for this specific issue.

  • Unauthenticated code execution in Umbraco Forms.
  • Public-facing web applications are potential targets.
  • Confirm relevance and exposure for your Umbraco Forms.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by uploading a specially crafted `web.config` file to bypass security restrictions, followed by uploading an executable `.asp` file to the same location. This allows them to execute arbitrary code on the server.

  • No authentication required.
  • Upload malicious `web.config` and `.asp` files.
  • Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary code on the server when a specially crafted file is uploaded. This could impact the integrity and availability of the web application.

  • Arbitrary code execution on the server.
  • Uploading a crafted `web.config` and `.asp` file.
  • Compromise of the web application.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Umbraco Forms allows unauthenticated attackers to execute arbitrary code by uploading a crafted web.config and asp file. Real-world ownership likely falls to the application or platform team responsible for the Umbraco CMS, in coordination with the network and security teams to assess exposure. The immediate first step is to identify all instances of Umbraco Forms, confirm reachability, and determine business criticality to prioritize remediation efforts.

  • Application or platform team owns remediation.
  • Verify all Umbraco Forms instances.
  • Plan vendor coordination and updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Umbraco Forms and why is it used?

Umbraco Forms is a specialized extension for the Umbraco content management system. It provides developers and site administrators with a framework to create, manage, and process data from web-based contact or input forms, which are essential for capturing user feedback, registrations, or other interactive data directly within a website.

How does CWE-434 relate to CVE-2021-33224?

This vulnerability is classified as CWE-434, which is the Unrestricted Upload of File with Dangerous Type weakness. In plain terms, the software fails to properly check or limit the types of files a user can upload. Because of this, an attacker can bypass security controls to send files that the server might mistakenly execute instead of simply storing.

What must an attacker do to trigger this vulnerability?

The attack requires uploading two specific files in sequence: a specially crafted web.config file designed to modify server configuration, followed by an executable .asp file. This vulnerability is not triggered by standard form submissions or typical user interactions; it requires the successful upload of these specific malicious file types to the server.

Is my Umbraco Forms instance at high risk?

Halo Surface Signal indicates that Umbraco Forms is typically deployed as a public-facing web application to handle user input. Because this component is often exposed to the public internet to function, any instance running the affected version is highly likely to be reachable by unauthorized parties, making it a critical area of concern.

What are the first steps to address CVE-2021-33224?

Begin by inventorying your environment to locate all active Umbraco Forms installations. Once identified, confirm which instances are currently running version 8.7.0. Coordinate with your application owners to prioritize these systems for remediation, ensuring that any necessary updates or security configurations are applied to neutralize the risk of unauthorized file uploads.

References