CVE-2017-9822

CVE-2017-9822 is a high-severity vulnerability in Dnnsoftware Dotnetnuke with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-94.

Key facts

Description

DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

CVE-2017-9822: DNN Cookie Deserialization Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2017-9822
Product DNN (DotNetNuke)
CVSS v2 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS v3 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE CWE-94: Improper Control of Generation of Code ("Code Injection")
EPSS 0.94789 (99.85th percentile)
KEV Listed since 2021-11-03
EU Exploited Yes, since 2021-11-03

Summary

DNN (also known as DotNetNuke), a popular ASP.NET content-management system, contains a remote code execution vulnerability in versions prior to 9.1.1. An attacker with low-privilege access can achieve full system compromise by supplying a crafted cookie that triggers unsafe deserialization on the server.

Background

DNN is an open-source web-content-management platform built on ASP.NET. It has been widely deployed in enterprise intranets, public-facing websites, and SaaS multi-tenant environments. Prior to the 9.1.1 release, the framework handled certain client-state cookies in a manner that allowed attacker-controlled serialized objects to be deserialized by the server-side runtime.

Root Cause

CWE-94: Improper Control of Generation of Code ("Code Injection")

The vulnerability stems from unsafe deserialization of untrusted data within cookie handling logic. When DNN processes a specially crafted cookie, it deserializes the payload without sufficient validation of the object types being reconstructed. In .NET applications, this class of flaw is frequently exploitable because the deserialization binder can be tricked into instantiating arbitrary types, leading directly to code execution.

Impact

The CVSS v3 score of 8.8 (HIGH) reflects severe consequences for confidentiality, integrity, and availability:

  • Confidentiality Impact: HIGH — an attacker can read sensitive files, database connection strings, and cryptographic keys stored on the server.
  • Integrity Impact: HIGH — the attacker can modify application code, content, and configuration.
  • Availability Impact: HIGH — the attacker can crash the application or pivot to the underlying operating system.

The CVSS v2 score of 6.5 with "Au:SINGLE" indicates that some form of authentication is required; however, even a low-privilege account (or a stolen session) is sufficient to reach full compromise.

Exploitation Walkthrough

Ethics caveat: This section describes the defensive anatomy of the attack. It does not contain weaponized exploit code.

  1. Reconnaissance: The attacker identifies a DNN instance running a version earlier than 9.1.1. Publicly accessible version banners, JavaScript files, or login-portal branding may reveal the target platform.
  2. Authentication: The attacker authenticates with any valid account (the CVSS v2 metric is Au:SINGLE). In some configurations, even an anonymous or self-registered account may suffice.
  3. Payload crafting: The attacker constructs a serialized .NET object embedded inside a cookie value. The object is designed to chain gadget types already present in the application's bin directory or in the Global Assembly Cache (GAC), ultimately invoking arbitrary system commands or spawning a reverse shell.
  4. Delivery: The attacker sends an HTTP request to the DNN site with the malicious cookie. The server deserializes the cookie, the gadget chain executes, and the attacker gains remote code execution in the context of the application pool identity.
  5. Post-exploitation: Typical follow-on actions include lateral movement, credential harvesting from web.config, installation of persistence mechanisms, or deployment of web shells.

Affected and Patched Versions

Status Version
Affected DNN (DotNetNuke) < 9.1.1
Patched DNN 9.1.1 and later

The NuGet package DotNetNuke.Core versions prior to 9.1.1 are also affected.

Remediation

  1. Upgrade immediately: Apply DNN 9.1.1 or the latest supported release. The vendor published the fix under security bulletin "2017-08 (Critical)".
  2. Compensating controls (if upgrade is not immediately possible):
    • Restrict network access to the DNN administrative interfaces using IP allow-listing or VPN gating.
    • Disable self-registration and anonymous access to reduce the attack surface.
    • Implement Web Application Firewall (WAF) rules that detect anomalous cookie sizes or Base64-encoded payloads characteristic of .NET deserialization gadgets.
    • Run the application pool under a low-privilege identity with minimal filesystem and network rights.

Detection

  • Network: Monitor for unusually large cookie values or repeated HTTP 500 errors immediately following authenticated requests.
  • Endpoint: Look for unexpected child processes spawned by the IIS worker process (w3wp.exe), such as cmd.exe, powershell.exe, or common living-off-the-land binaries.
  • File integrity: Alert on new .aspx, .ashx, or .asmx files dropped into web-accessible directories.
  • Logging: Correlate authentication events with subsequent suspicious administrative actions or outbound connections from the web server.

Assessment

With an EPSS score of 0.94789 (99.85th percentile) and confirmed inclusion in both the CISA Known Exploited Vulnerabilities (KEV) catalog and the EU Exploited Vulnerabilities Database, CVE-2017-9822 is not merely theoretical — it is actively exploited in the wild. The gap between the original 2017 disclosure and the 2021 KEV listing suggests that threat actors continued to leverage this flaw against unpatched legacy instances for years.

Key lessons:

  1. Deserialization is a critical attack surface: Any code path that deserializes attacker-controlled data should be treated as high-risk and subjected to strict type whitelisting or schema validation.
  2. Legacy instances matter: Organizations that delay patching CMS platforms often become soft targets long after the vulnerability is public knowledge. Continuous asset inventory and exposure management are essential.

References

Frequently asked questions

What is CVE-2017-9822?
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
How severe is CVE-2017-9822?
CVE-2017-9822 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-9822 being actively exploited?
Yes. CVE-2017-9822 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-9822?
CVE-2017-9822 affects Dnnsoftware Dotnetnuke. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2017-9822?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-9822 have an EU (EUVD) identifier?
Yes. CVE-2017-9822 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-0710. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2017-9822 published?
CVE-2017-9822 was published on 2017-07-20 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Dnnsoftware Dotnetnuke

All CVEs affecting Dnnsoftware Dotnetnuke →

Other CWE-94 (Code Injection) vulnerabilities

Browse all CWE-94 (Code Injection) vulnerabilities →