Content Management System (CMS) Security Advisory - CMS-2025-02

  • Updated

Brief Description:

A medium-severity vulnerability was identified in the CMS due to insufficient enforcement of password complexity requirements. The application permitted users to set passwords with a minimum length of 6 characters, lacking adequate complexity to resist modern attack techniques such as password spraying or offline password cracking.  

 

Affected Versions: 

EPiServer.CMS.UI versions prior to 12.32.0. 

 

Solutions and Mitigations:

Upgrade to EPiServer.CMS.UI version 12.32.0 which enforces a stronger password policy and improved password complexity rules. 

 

For Users that Cannot Upgrade:

For organizations unable to upgrade, the following mitigations are recommended: 

  • Manually Configure Password Complexity: Ensure passwords meet a minimum length of 8 characters and include a mix of upper- and lower-case letters, numbers, and special characters. 
  • Monitor Login Activity: Use logging and monitoring to detect unusual login attempts and implement rate-limiting to prevent password spraying attacks. 

 

Severity:

Medium  

 

CVSS:

5.5 

 

CVE ID:

CVE-2025-22390

 

Date Published: 

January 3, 2025