CVE-2025-0364
Published: 04 February 2025
Summary
CVE-2025-0364 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Bigantsoft Bigant Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1136.001); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly controls and monitors actions like unauthenticated SaaS account registration that bypass normal identification and authentication.
AC-2 enforces managed account provisioning processes to prevent unauthorized creation of administrative accounts via exposed endpoints.
SC-14 provides protections for publicly accessible interfaces like the SaaS registration endpoint to enforce required authorizations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated creation of local admin accounts (T1136.001), exploitation of public-facing chat server application (T1190), and deployment/execution of web shells via arbitrary PHP file upload in Cloud Storage Addin (T1505.003).
NVD Description
BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. An unauthenticated remote attacker can create an administrative user through the default exposed SaaS registration mechanism. Once an administrator, the attacker…
more
can upload and execute arbitrary PHP code using the "Cloud Storage Addin," leading to unauthenticated code execution.
Deeper analysisAI
CVE-2025-0364 affects BigAntSoft BigAnt Server versions up to and including 5.6.06, enabling unauthenticated remote code execution through an exposed account registration mechanism. The vulnerability stems from the default SaaS registration feature, which allows attackers to create administrative accounts without authentication. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel). Published on 2025-02-04, this flaw permits escalation to full server compromise.
An unauthenticated remote attacker can exploit this by registering a new administrative user via the publicly accessible SaaS endpoint. With admin privileges, the attacker then uses the "Cloud Storage Addin" to upload and execute arbitrary PHP code, achieving unauthenticated remote code execution on the server. No user interaction or privileges are required, making it highly exploitable over the network with low complexity.
Advisories detailing mitigation are available from VulnCheck at https://vulncheck.com/advisories/big-ant-upload-rce, along with a proof-of-concept at https://github.com/vulncheck-oss/cve-2025-0364. Security practitioners should consult these resources for patch information, workarounds, or configuration changes to disable the exposed registration mechanism.
Details
- CWE(s)