CVE-2022-25369

{"id": "CVE-2022-25369", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-01-23T17:16:04.753", "references": [{"url": "https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369", "source": "cve@mitre.org"}, {"url": "https://www.dynamicweb.com/resources/downloads?Category=Releases", "source": "cve@mitre.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-288"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later)."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Dynamicweb antes de 9.12.8. Un atacante puede a\u00f1adir un nuevo usuario administrador sin autenticaci\u00f3n. Esta falla existe debido a un problema de l\u00f3gica al determinar si las fases de configuraci\u00f3n del producto pueden ejecutarse de nuevo. Una vez que un atacante est\u00e1 autenticado como el nuevo usuario administrador que ha a\u00f1adido, es posible cargar un archivo ejecutable y lograr la ejecuci\u00f3n de comandos. Esto se corrigi\u00f3 en 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8 y 9.13.0 (y posteriores)."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cve@mitre.org"}