CVE-2025-27422

CVE-2025-27422 is an authentication bypass vulnerability in FACTION, an open-source PenTesting Report Generation and Collaboration Framework. The flaw allows an attacker to register a new user account with administrative privileges without any prior authorization. This occurs because the registration endpoint lacks proper controls beyond basic validation rules, such as ensuring no missing information and a secure password. The vulnerability, associated with CWE-287 (Improper Authentication), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and affects versions of FACTION prior to 1.4.3.

Any unauthenticated attacker with network access to the FACTION instance can exploit this vulnerability by crafting a valid registration request specifying admin privileges. No user interaction or privileges are required, enabling remote exploitation with low complexity. Successful exploitation grants the attacker full administrative access, potentially allowing them to access sensitive penetration testing reports, collaborate on projects with elevated permissions, or manipulate framework data, resulting in high confidentiality impact.

The vulnerability has been addressed in FACTION version 1.4.3, as detailed in the project's GitHub security advisory (GHSA-97cv-f342-v2jc) and the corresponding fix commit (0a6848d388d6dba1c81918cce2772b1e805cd3d6). Security practitioners should immediately upgrade to the patched version and review access logs for unauthorized admin registrations to identify potential exploitation.