CVE-2025-66022
Published: 26 November 2025
Summary
CVE-2025-66022 is a critical-severity Improper Authentication (CWE-287) vulnerability in Owasp Faction. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the missing authentication check on the /portal/AppStoreDashboard endpoint by prohibiting sensitive actions like extension uploads without identification and authentication.
Enforces access control policies requiring authentication and authorization for the extension management UI, preventing unauthenticated attackers from uploading malicious extensions.
Prohibits installation and execution of unapproved user-installed software such as malicious extensions, mitigating RCE even if an upload occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a public-facing web application flaw allowing unauthenticated remote code execution via malicious extension upload and lifecycle hook invocation, directly mapping to Exploit Public-Facing Application (T1190).
NVD Description
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting…
more
in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
Deeper analysisAI
CVE-2025-66022 is a remote code execution (RCE) vulnerability in FACTION, a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, the extension execution path in Faction's extension framework allows untrusted extension code to execute arbitrary system commands on the server hosting Faction when a lifecycle hook is invoked. This flaw stems from improper authentication and access controls, specifically a missing authentication check on the /portal/AppStoreDashboard endpoint, which exposes the extension management UI.
Unauthenticated attackers can exploit this vulnerability over the network by accessing the unauthenticated endpoint to upload a malicious extension. Once uploaded, invoking a lifecycle hook triggers the execution of arbitrary system commands, achieving full RCE on the Faction host. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its high severity, with low attack complexity, no privileges required, user interaction needed, and changed scope impacting confidentiality, integrity, and availability. Associated CWEs include CWE-287 (Improper Authentication), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), and CWE-862 (Missing Authorization).
The issue has been addressed in FACTION version 1.7.1, as detailed in the project's GitHub security advisory (GHSA-xr72-2g43-586w) and the patching commit (c6389f1c76175b7c1c68d1a87b389311b16c62c3). Security practitioners should upgrade to 1.7.1 or later and review access to extension management endpoints.
Details
- CWE(s)