Cyber Resilience

CVE-2022-25369

Critical

Published: 23 January 2026

Published
23 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4074 98.5th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2022-25369 is a critical-severity Improper Authentication (CWE-287) vulnerability in Assetnote (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Dynamicweb versions prior to 9.12.8 contain a logic flaw in the handling of setup phases that allows an unauthenticated attacker to create a new administrator account. The vulnerability, tracked as CVE-2022-25369 and assigned CWE-287 and CWE-288, affects the core authentication and installation routines of the Dynamicweb content management platform and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can exploit the flaw to register an administrative user, after which the attacker can upload and execute arbitrary files on the server, resulting in full remote code execution. The attack requires no user interaction or prior credentials and can be performed over the network.

Official remediation guidance directs administrators to upgrade to one of the patched releases (9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, or 9.13.0 and later), available from the vendor’s download portal. The referenced Assetnote advisory provides additional technical detail on the setup-phase bypass used to reach administrative privileges.

The associated EPSS score currently stands at 0.8286, matching its recorded peak.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once…

more

an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing CMS (T1190: Exploit Public-Facing Application), directly enabling unauthenticated creation of a new administrator account (T1136: Create Account) and subsequent RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-37184Shared CWE-287
CVE-2026-8321Shared CWE-287, CWE-288
CVE-2025-67507Shared CWE-287, CWE-288
CVE-2026-2165Shared CWE-287
CVE-2026-8994Shared CWE-287
CVE-2026-29193Shared CWE-287
CVE-2026-2628Shared CWE-288
CVE-2025-1044Shared CWE-287
CVE-2025-64121Shared CWE-288
CVE-2026-1740Shared CWE-287

Affected Assets

Assetnote
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that close the setup-phase logic flaw allowing unauthenticated admin account creation.

prevent

Enforces access-control decisions so that creation of administrator accounts cannot succeed without prior authentication.

prevent

Mandates identification and authentication of users before any privileged account-management actions are permitted, blocking the initial unauthenticated admin registration.

References