← back
CVE-2022-25369

CVE-2022-25369

CVSS 9.8 CRITICALEPSS 40.7%CWE-287CWE-288
Vexday Risk Score
55Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.8EPSS 40.7%KEV nãoPoC Nuclei simMetasploit Patch
Lifecycle
23 Jan 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369https://www.dynamicweb.com/resources/downloads?Category=Releases