Cyber Resilience

CVE-2025-0364

CriticalPublic PoC

Published: 04 February 2025

Published
04 February 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2233 95.9th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0364 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Bigantsoft Bigant Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1136.001); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Deeper analysis

BigAntSoft BigAnt Server versions up to and including 5.6.06 contain an unauthenticated remote code execution vulnerability stemming from an exposed SaaS registration mechanism. The flaw, tracked as CWE-288, permits an attacker to register an administrative account without authentication, after which the Cloud Storage Addin can be abused to upload and execute arbitrary PHP code on the server.

An unauthenticated remote attacker can exploit the registration endpoint to obtain administrator privileges, then leverage the addin functionality to achieve full remote code execution with impacts covering confidentiality, integrity, and availability. The CVSS 3.1 score of 9.8 reflects the network-accessible, low-complexity nature of the attack with no required user interaction or privileges.

Public advisories and proof-of-concept material are available from VulnCheck and an associated GitHub repository, though specific patch or configuration guidance is not detailed in the provided references. The EPSS score reached a peak of 0.2563 on 2025-12-11 and currently stands at 0.2233 with no reported real-world exploitation campaigns.

EU & UK References

Vulnerability details

BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. An unauthenticated remote attacker can create an administrative user through the default exposed SaaS registration mechanism. Once an administrator, the attacker…

more

can upload and execute arbitrary PHP code using the "Cloud Storage Addin," leading to unauthenticated code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability enables unauthenticated creation of local admin accounts (T1136.001), exploitation of public-facing chat server application (T1190), and deployment/execution of web shells via arbitrary PHP file upload in Cloud Storage Addin (T1505.003).

CVEs Like This One

CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2026-1779Shared CWE-288
CVE-2025-0316Shared CWE-288
CVE-2026-45109Shared CWE-288
CVE-2025-5397Shared CWE-288
CVE-2026-31271Shared CWE-288

Affected Assets

bigantsoft
bigant server
≤ 5.6.06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly controls and monitors actions like unauthenticated SaaS account registration that bypass normal identification and authentication.

prevent

AC-2 enforces managed account provisioning processes to prevent unauthorized creation of administrative accounts via exposed endpoints.

prevent

SC-14 provides protections for publicly accessible interfaces like the SaaS registration endpoint to enforce required authorizations.

References