CVE-2022-25369
Published: 23 January 2026
Summary
CVE-2022-25369 is a critical-severity Improper Authentication (CWE-287) vulnerability in Assetnote (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
Dynamicweb versions prior to 9.12.8 contain a logic flaw in the handling of setup phases that allows an unauthenticated attacker to create a new administrator account. The vulnerability, tracked as CVE-2022-25369 and assigned CWE-287 and CWE-288, affects the core authentication and installation routines of the Dynamicweb content management platform and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the flaw to register an administrative user, after which the attacker can upload and execute arbitrary files on the server, resulting in full remote code execution. The attack requires no user interaction or prior credentials and can be performed over the network.
Official remediation guidance directs administrators to upgrade to one of the patched releases (9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, or 9.13.0 and later), available from the vendor’s download portal. The referenced Assetnote advisory provides additional technical detail on the setup-phase bypass used to reach administrative privileges.
The associated EPSS score currently stands at 0.8286, matching its recorded peak.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30040
Vulnerability details
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once…
more
an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing CMS (T1190: Exploit Public-Facing Application), directly enabling unauthenticated creation of a new administrator account (T1136: Create Account) and subsequent RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that close the setup-phase logic flaw allowing unauthenticated admin account creation.
Enforces access-control decisions so that creation of administrator accounts cannot succeed without prior authentication.
Mandates identification and authentication of users before any privileged account-management actions are permitted, blocking the initial unauthenticated admin registration.