CVE-2022-25369
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).
Analysis
Dynamicweb CMS before version 9.12.8 contains a critical authentication bypass that allows unauthenticated attackers to create new administrator accounts. The vulnerability exists because the application's setup wizard can be re-executed on deployed instances, enabling attackers to initialize a fresh admin account and subsequently upload webshells.
Technical Context
The Dynamicweb CMS fails to properly restrict access to setup/initialization endpoints after initial deployment. A logic flaw in the check that determines whether setup phases should be available allows an attacker to bypass the check and invoke the setup wizard again. Through the wizard, they create a new administrator account. Once authenticated as admin, the CMS's file management features allow uploading and executing arbitrary files.
Affected Products
['Dynamicweb CMS < 9.12.8']
Remediation
Update to Dynamicweb 9.12.8 or later. Verify that the setup wizard is disabled on production instances. Audit administrator accounts for unauthorized entries. Restrict access to setup/installation endpoints at the web server level.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today