CVE-2025-0364
Published: 04 February 2025
Summary
CVE-2025-0364 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Bigantsoft Bigant Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1136.001); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Deeper analysis
BigAntSoft BigAnt Server versions up to and including 5.6.06 contain an unauthenticated remote code execution vulnerability stemming from an exposed SaaS registration mechanism. The flaw, tracked as CWE-288, permits an attacker to register an administrative account without authentication, after which the Cloud Storage Addin can be abused to upload and execute arbitrary PHP code on the server.
An unauthenticated remote attacker can exploit the registration endpoint to obtain administrator privileges, then leverage the addin functionality to achieve full remote code execution with impacts covering confidentiality, integrity, and availability. The CVSS 3.1 score of 9.8 reflects the network-accessible, low-complexity nature of the attack with no required user interaction or privileges.
Public advisories and proof-of-concept material are available from VulnCheck and an associated GitHub repository, though specific patch or configuration guidance is not detailed in the provided references. The EPSS score reached a peak of 0.2563 on 2025-12-11 and currently stands at 0.2233 with no reported real-world exploitation campaigns.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1627
Vulnerability details
BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. An unauthenticated remote attacker can create an administrative user through the default exposed SaaS registration mechanism. Once an administrator, the attacker…
more
can upload and execute arbitrary PHP code using the "Cloud Storage Addin," leading to unauthenticated code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated creation of local admin accounts (T1136.001), exploitation of public-facing chat server application (T1190), and deployment/execution of web shells via arbitrary PHP file upload in Cloud Storage Addin (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 directly controls and monitors actions like unauthenticated SaaS account registration that bypass normal identification and authentication.
AC-2 enforces managed account provisioning processes to prevent unauthorized creation of administrative accounts via exposed endpoints.
SC-14 provides protections for publicly accessible interfaces like the SaaS registration endpoint to enforce required authorizations.