CVE-2025-27422
Published: 03 March 2025
Summary
CVE-2025-27422 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-2 requires management of account registration processes to prevent unauthorized creation of accounts with administrative privileges.
AC-6 enforces least privilege to restrict new user registrations to non-administrative roles without prior authorization.
AC-14 explicitly prohibits unauthenticated actions such as registering accounts with administrative privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authentication bypass in the public-facing FACTION web app registration endpoint allows remote unauthenticated attackers to gain admin access, directly enabling T1190 Exploit Public-Facing Application.
NVD Description
FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing…
more
information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3.
Deeper analysisAI
CVE-2025-27422 is an authentication bypass vulnerability in FACTION, an open-source PenTesting Report Generation and Collaboration Framework. The flaw allows an attacker to register a new user account with administrative privileges without any prior authorization. This occurs because the registration endpoint lacks proper controls beyond basic validation rules, such as ensuring no missing information and a secure password. The vulnerability, associated with CWE-287 (Improper Authentication), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and affects versions of FACTION prior to 1.4.3.
Any unauthenticated attacker with network access to the FACTION instance can exploit this vulnerability by crafting a valid registration request specifying admin privileges. No user interaction or privileges are required, enabling remote exploitation with low complexity. Successful exploitation grants the attacker full administrative access, potentially allowing them to access sensitive penetration testing reports, collaborate on projects with elevated permissions, or manipulate framework data, resulting in high confidentiality impact.
The vulnerability has been addressed in FACTION version 1.4.3, as detailed in the project's GitHub security advisory (GHSA-97cv-f342-v2jc) and the corresponding fix commit (0a6848d388d6dba1c81918cce2772b1e805cd3d6). Security practitioners should immediately upgrade to the patched version and review access logs for unauthorized admin registrations to identify potential exploitation.
Details
- CWE(s)