CVE-2022-26352 dotCMS CVE debrief

Who should care

Security and IT teams responsible for dotCMS deployments, especially internet-facing instances, patch management owners, and incident response teams tracking KEV-listed vulnerabilities.

Technical summary

The issue is identified by CISA as an unrestricted upload of file vulnerability in dotCMS. The available official records in this corpus do not provide deeper exploit mechanics, but the KEV inclusion indicates real-world exploitation, and the catalog entry notes known ransomware campaign use. CISA’s record also references the vendor security advisory SI-62 and the NVD entry for additional remediation context.

Defensive priority

High urgency. CISA added the CVE to the KEV catalog on the same date it was published in the supplied timeline, with a remediation due date of 2022-09-15. Known ransomware campaign use increases the defensive priority further.

Recommended defensive actions

• Apply dotCMS updates or mitigations according to the vendor’s security advisory SI-62.
• Prioritize patching any internet-facing dotCMS instances first.
• Verify whether any unexpected files were uploaded to dotCMS-managed locations and review related logs for suspicious activity.
• If patching is delayed, reduce exposure by restricting access to dotCMS administrative and upload-related functionality as much as operationally possible, consistent with vendor guidance.

Evidence notes

Official and supplied-source evidence links this issue to CISA KEV, which lists dotCMS, the product name dotCMS, dateAdded 2022-08-25, dueDate 2022-09-15, and knownRansomwareCampaignUse as Known. The KEV notes reference https://www.dotcms.com/security/SI-62 and the NVD record for CVE-2022-26352. The supplied CVE published and modified dates are both 2022-08-25.

Official resources