CVE-2017-9822
CVE-2017-9822 is a high-severity vulnerability in Dnnsoftware Dotnetnuke with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-94.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 6.5
- EPSS exploit prediction: 95% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2018-0710
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-94
- Affected product: Dnnsoftware Dotnetnuke
- Published:
- Last modified:
Description
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
CVE-2017-9822: DNN Cookie Deserialization Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-9822 |
| Product | DNN (DotNetNuke) |
| CVSS v2 | 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) |
| CVSS v3 | 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-94: Improper Control of Generation of Code ("Code Injection") |
| EPSS | 0.94789 (99.85th percentile) |
| KEV | Listed since 2021-11-03 |
| EU Exploited | Yes, since 2021-11-03 |
Summary
DNN (also known as DotNetNuke), a popular ASP.NET content-management system, contains a remote code execution vulnerability in versions prior to 9.1.1. An attacker with low-privilege access can achieve full system compromise by supplying a crafted cookie that triggers unsafe deserialization on the server.
Background
DNN is an open-source web-content-management platform built on ASP.NET. It has been widely deployed in enterprise intranets, public-facing websites, and SaaS multi-tenant environments. Prior to the 9.1.1 release, the framework handled certain client-state cookies in a manner that allowed attacker-controlled serialized objects to be deserialized by the server-side runtime.
Root Cause
CWE-94: Improper Control of Generation of Code ("Code Injection")
The vulnerability stems from unsafe deserialization of untrusted data within cookie handling logic. When DNN processes a specially crafted cookie, it deserializes the payload without sufficient validation of the object types being reconstructed. In .NET applications, this class of flaw is frequently exploitable because the deserialization binder can be tricked into instantiating arbitrary types, leading directly to code execution.
Impact
The CVSS v3 score of 8.8 (HIGH) reflects severe consequences for confidentiality, integrity, and availability:
- Confidentiality Impact: HIGH — an attacker can read sensitive files, database connection strings, and cryptographic keys stored on the server.
- Integrity Impact: HIGH — the attacker can modify application code, content, and configuration.
- Availability Impact: HIGH — the attacker can crash the application or pivot to the underlying operating system.
The CVSS v2 score of 6.5 with "Au:SINGLE" indicates that some form of authentication is required; however, even a low-privilege account (or a stolen session) is sufficient to reach full compromise.
Exploitation Walkthrough
Ethics caveat: This section describes the defensive anatomy of the attack. It does not contain weaponized exploit code.
- Reconnaissance: The attacker identifies a DNN instance running a version earlier than 9.1.1. Publicly accessible version banners, JavaScript files, or login-portal branding may reveal the target platform.
- Authentication: The attacker authenticates with any valid account (the CVSS v2 metric is Au:SINGLE). In some configurations, even an anonymous or self-registered account may suffice.
- Payload crafting: The attacker constructs a serialized .NET object embedded inside a cookie value. The object is designed to chain gadget types already present in the application's bin directory or in the Global Assembly Cache (GAC), ultimately invoking arbitrary system commands or spawning a reverse shell.
- Delivery: The attacker sends an HTTP request to the DNN site with the malicious cookie. The server deserializes the cookie, the gadget chain executes, and the attacker gains remote code execution in the context of the application pool identity.
- Post-exploitation: Typical follow-on actions include lateral movement, credential harvesting from
web.config, installation of persistence mechanisms, or deployment of web shells.
Affected and Patched Versions
| Status | Version |
|---|---|
| Affected | DNN (DotNetNuke) < 9.1.1 |
| Patched | DNN 9.1.1 and later |
The NuGet package DotNetNuke.Core versions prior to 9.1.1 are also affected.
Remediation
- Upgrade immediately: Apply DNN 9.1.1 or the latest supported release. The vendor published the fix under security bulletin "2017-08 (Critical)".
- Compensating controls (if upgrade is not immediately possible):
- Restrict network access to the DNN administrative interfaces using IP allow-listing or VPN gating.
- Disable self-registration and anonymous access to reduce the attack surface.
- Implement Web Application Firewall (WAF) rules that detect anomalous cookie sizes or Base64-encoded payloads characteristic of .NET deserialization gadgets.
- Run the application pool under a low-privilege identity with minimal filesystem and network rights.
Detection
- Network: Monitor for unusually large cookie values or repeated HTTP 500 errors immediately following authenticated requests.
- Endpoint: Look for unexpected child processes spawned by the IIS worker process (
w3wp.exe), such ascmd.exe,powershell.exe, or common living-off-the-land binaries. - File integrity: Alert on new
.aspx,.ashx, or.asmxfiles dropped into web-accessible directories. - Logging: Correlate authentication events with subsequent suspicious administrative actions or outbound connections from the web server.
Assessment
With an EPSS score of 0.94789 (99.85th percentile) and confirmed inclusion in both the CISA Known Exploited Vulnerabilities (KEV) catalog and the EU Exploited Vulnerabilities Database, CVE-2017-9822 is not merely theoretical — it is actively exploited in the wild. The gap between the original 2017 disclosure and the 2021 KEV listing suggests that threat actors continued to leverage this flaw against unpatched legacy instances for years.
Key lessons:
- Deserialization is a critical attack surface: Any code path that deserializes attacker-controlled data should be treated as high-risk and subjected to strict type whitelisting or schema validation.
- Legacy instances matter: Organizations that delay patching CMS platforms often become soft targets long after the vulnerability is public knowledge. Continuous asset inventory and exposure management are essential.
References
Frequently asked questions
- What is CVE-2017-9822?
- DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
- How severe is CVE-2017-9822?
- CVE-2017-9822 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-9822 being actively exploited?
- Yes. CVE-2017-9822 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-9822?
- CVE-2017-9822 affects Dnnsoftware Dotnetnuke. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2017-9822?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-9822 have an EU (EUVD) identifier?
- Yes. CVE-2017-9822 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-0710. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2017-9822 published?
- CVE-2017-9822 was published on 2017-07-20 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html
- http://www.dnnsoftware.com/community/security/security-center
- http://www.securityfocus.com/bid/102213
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9822
Affected products (1)
- cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*
More vulnerabilities in Dnnsoftware Dotnetnuke
- CVE-2025-64095 — Critical (CVSS 10.0): DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to…
- CVE-2006-3601 — Critical (CVSS 10.0): ** UNVERIFIABLE ** Unspecified vulnerability in an unspecified DNN Modules module for DotNetNuke (.net nuke) allows…
- CVE-2015-2794 — Critical (CVSS 9.8): The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain…
- CVE-2026-24838 — Critical (CVSS 9.1): DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to…
- CVE-2025-59545 — Critical (CVSS 9.0): DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to…
- CVE-2020-5187 — High (CVSS 8.8): DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2).
All CVEs affecting Dnnsoftware Dotnetnuke →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.