CVE-2015-2794 Dnnsoftware CVE debrief

Who should care

DNN administrators, hosting providers, and security teams responsible for internet-facing DotNetNuke installations, especially any system running a version earlier than 7.4.1.

Technical summary

NVD describes the issue as an unauthenticated network attack against Install/InstallWizard.aspx in DotNetNuke before 7.4.1. The result can be application reinstallation and SuperUser access. NVD rates the issue CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and the vulnerable version range extends through 07.04.00.

Defensive priority

Immediate. This is a remotely exploitable, no-authentication, high-impact flaw with full confidentiality, integrity, and availability consequences in NVD scoring.

Recommended defensive actions

• Upgrade DotNetNuke to 7.4.1 or later.
• If immediate upgrade is not possible, follow the vendor workaround and security guidance referenced by DNN.
• Restrict access to the installer endpoint and verify it is not reachable from untrusted networks.
• Review logs and configuration for any unexpected reinstall activity, SuperUser creation, or other unauthorized changes.
• Treat affected systems as potentially compromised until integrity is confirmed and privileged accounts are reviewed.

Evidence notes

This debrief is based on the supplied NVD record and its cited references. The CVE description states that DotNetNuke (DNN) before 7.4.1 can be reinstalled through a direct request to Install/InstallWizard.aspx, enabling SuperUser access. NVD metadata lists the vulnerable CPE range through version 07.04.00, CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and CWE-264. References include a DNN workaround post, DNN security center patch guidance, DNN release notes, and a third-party exploit-db entry.

Official resources