CVE-2022-25369

Critical

Published: 23 January 2026

Published

23 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8014 99.1th percentile

Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once…

an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 explicitly limits and documents permitted actions without identification or authentication, directly preventing the logic flaw that allows unauthenticated re-execution of setup phases to create administrator accounts.

AC-2 Account Management good match

prevent

AC-2 requires managed processes for account creation, modification, and removal, ensuring unauthorized addition of administrator users is prohibited.

AC-3 Access Enforcement good match

prevent

AC-3 enforces system-wide access control policies and authorizations, addressing the logic error that bypassed enforcement for sensitive setup and admin functions.

Security SummaryAI

CVE-2022-25369 is a critical authentication bypass vulnerability (CWE-287, CWE-288) affecting Dynamicweb content management system versions prior to 9.12.8. The flaw stems from a logic error that incorrectly permits re-execution of the product's setup phases, enabling an attacker to create a new administrator user account without any authentication.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). After adding the rogue admin user, the attacker authenticates with it to upload an executable file, resulting in remote command execution on the server.

The issue is addressed in Dynamicweb patches 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, 9.13.0, and later versions. Additional details are available in the Assetnote research advisory at https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369 and the Dynamicweb releases page at https://www.dynamicweb.com/resources/downloads?Category=Releases.

Details

CWE(s): CWE-287 CWE-288

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing CMS (T1190: Exploit Public-Facing Application), directly enabling unauthenticated creation of a new administrator account (T1136: Create Account) and subsequent RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369
cve@mitre.org
https://www.dynamicweb.com/resources/downloads?Category=Releases
cve@mitre.org