Cyber Resilience

CVE-2025-66022

CriticalPublic PoC

Published: 26 November 2025

Published
26 November 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0081 74.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66022 is a critical-severity Improper Authentication (CWE-287) vulnerability in Owasp Faction. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-66022 is a remote code execution (RCE) vulnerability in FACTION, a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, the extension execution path in Faction's extension framework allows untrusted extension code to execute arbitrary system commands on the server hosting Faction when a lifecycle hook is invoked. This flaw stems from improper authentication and access controls, specifically a missing authentication check on the /portal/AppStoreDashboard endpoint, which exposes the extension management UI.

Unauthenticated attackers can exploit this vulnerability over the network by accessing the unauthenticated endpoint to upload a malicious extension. Once uploaded, invoking a lifecycle hook triggers the execution of arbitrary system commands, achieving full RCE on the Faction host. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its high severity, with low attack complexity, no privileges required, user interaction needed, and changed scope impacting confidentiality, integrity, and availability. Associated CWEs include CWE-287 (Improper Authentication), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), and CWE-862 (Missing Authorization).

The issue has been addressed in FACTION version 1.7.1, as detailed in the project's GitHub security advisory (GHSA-xr72-2g43-586w) and the patching commit (c6389f1c76175b7c1c68d1a87b389311b16c62c3). Security practitioners should upgrade to 1.7.1 or later and review access to extension management endpoints.

EU & UK References

Vulnerability details

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting…

more

in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a public-facing web application flaw allowing unauthenticated remote code execution via malicious extension upload and lifecycle hook invocation, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21876Same vendor: Owasp
CVE-2026-33691Same vendor: Owasp
CVE-2026-28408Shared CWE-287, CWE-862
CVE-2026-40316Same vendor: Owasp
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2025-71279Shared CWE-287
CVE-2026-24532Shared CWE-862

Affected Assets

owasp
faction
≤ 1.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing authentication check on the /portal/AppStoreDashboard endpoint by prohibiting sensitive actions like extension uploads without identification and authentication.

prevent

Enforces access control policies requiring authentication and authorization for the extension management UI, preventing unauthenticated attackers from uploading malicious extensions.

prevent

Prohibits installation and execution of unapproved user-installed software such as malicious extensions, mitigating RCE even if an upload occurs.

References