CVE-2022-26352

What is dotCMS?

dotCMS is an open-source Java-based content management system (CMS) and digital experience platform used by enterprises and media companies to manage web content, marketing campaigns, and digital assets. The platform provides REST APIs for content management, including file upload functionality for managing media assets and attachments. dotCMS is deployed both on-premises and in cloud environments.

Overview

CVE-2022-26352 is a pre-authentication remote code execution vulnerability in dotCMS arising from an unrestricted file upload combined with path traversal in the ContentResource API. An unauthenticated attacker can upload a file with a malicious filename containing path traversal sequences (../), causing the uploaded file to be saved outside the intended upload directory — specifically into a web-accessible location. By uploading a server-side script file to a web-accessible path, the attacker achieves arbitrary code execution on the server. CVSS 9.8, with ransomwareUse: true indicating confirmed ransomware deployment.

Affected Versions

Technical Details

The ContentResource API in dotCMS allows uploading binary files (images, documents, media assets) to the CMS content repository. The vulnerability combines two weaknesses:

1. Missing authentication: The upload endpoint accepts file uploads without requiring a valid user session
2. Path traversal in filename handling: The API processes the uploaded filename without sanitizing directory traversal sequences, allowing the file to be written to arbitrary filesystem locations

An attacker submits a crafted multipart upload request where the filename contains ../ sequences to traverse out of the intended upload directory and place a server-side script file into the Tomcat webapps/ROOT directory or another web-accessible location. Once the script file is in a web-accessible path, the attacker triggers execution by sending an HTTP request to it, achieving arbitrary OS command execution with the privileges of the application server process.

Discovery

Discovered by security researchers and reported to dotCMS via their security disclosure program. dotCMS released a patch in version 22.03.

Exploitation Context

CMS platforms are attractive targets because they are internet-facing by design and often contain:

• Customer data and PII
• Marketing credentials and third-party service API keys
• Payment processing integrations
• Administrative access to website content

The ransomwareUse: true designation indicates ransomware operators used this vulnerability to gain initial access to organizations running dotCMS, likely using webshell placement for reconnaissance and credential harvesting before deploying ransomware payloads for maximum impact.

Remediation

1. Upgrade to dotCMS 22.03 or later: The patch adds proper authentication requirements and filename sanitization to the ContentResource API.
2. Review web-accessible directories: Check the dotCMS webroot and Tomcat webapps directory for unexpected script files that may be webshells from previous exploitation.
3. Implement WAF rules: Block multipart upload requests containing ../ path traversal sequences in filenames.
4. Restrict content API access: If unauthenticated content API access is not required, enforce authentication on the /api/v1/content endpoint.
5. Audit upload directory: Review all recently uploaded files for suspicious content — unexpected server-side script files are indicators of compromise.
6. Incident response: If pre-patch exposure is suspected, treat as potentially compromised. Check for credential dumping, lateral movement indicators, and data exfiltration before ransomware may have been staged.