CVE-2022-25369
Published: 23 January 2026
Summary
CVE-2022-25369 is a critical-severity Improper Authentication (CWE-287) vulnerability in Assetnote (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly limits and documents permitted actions without identification or authentication, directly preventing the logic flaw that allows unauthenticated re-execution of setup phases to create administrator accounts.
AC-2 requires managed processes for account creation, modification, and removal, ensuring unauthorized addition of administrator users is prohibited.
AC-3 enforces system-wide access control policies and authorizations, addressing the logic error that bypassed enforcement for sensitive setup and admin functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing CMS (T1190: Exploit Public-Facing Application), directly enabling unauthenticated creation of a new administrator account (T1136: Create Account) and subsequent RCE.
NVD Description
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once…
more
an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).
Deeper analysisAI
CVE-2022-25369 is a critical authentication bypass vulnerability (CWE-287, CWE-288) affecting Dynamicweb content management system versions prior to 9.12.8. The flaw stems from a logic error that incorrectly permits re-execution of the product's setup phases, enabling an attacker to create a new administrator user account without any authentication.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). After adding the rogue admin user, the attacker authenticates with it to upload an executable file, resulting in remote command execution on the server.
The issue is addressed in Dynamicweb patches 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, 9.13.0, and later versions. Additional details are available in the Assetnote research advisory at https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369 and the Dynamicweb releases page at https://www.dynamicweb.com/resources/downloads?Category=Releases.
Details
- CWE(s)