CVE-2022-25369

CRITICAL EXPLOITED NUCLEI

Dynamicweb <9.12.8 - Auth Bypass

Title source: llm

Description

An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).

Nuclei Templates (1)

Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation

CRITICALby pdteam

Shodan: http.component:"Dynamicweb"

References (2)

[Various Sources] https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369

[Various Sources] https://www.dynamicweb.com/resources/downloads?Category=Releases

Scores

CVSS v3 9.8

EPSS 0.8014

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-14

CWE

CWE-287 CWE-288

Status published

Published Jan 23, 2026

Tracked Since Feb 18, 2026