cbcvebase.
CVE-2022-25369
published 2026-01-23

CVE-2022-25369: An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.74%
98.5th percentile
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).

Detection & IOCsextracted from sources · hover to see the quote

url/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&[email protected]&adminname=test
path/Admin/Access/Setup/Default.aspx
  • Detect unauthenticated GET requests to /Admin/Access/Setup/Default.aspx with the query parameter Action=createadministrator; a successful exploitation returns HTTP 200 with a JSON body containing '"Success": true' or '"Success":true' and a Content-Type of application/json.
  • Shodan query 'http.component:"Dynamicweb"' can be used to identify internet-exposed Dynamicweb instances potentially vulnerable to this CVE.
  • After creating the rogue admin account, attackers follow up by uploading an executable file to achieve command execution — monitor for unusual file uploads (e.g., .aspx/.exe) via the Dynamicweb admin panel from newly created admin accounts.
  • ·The vulnerability is a logic flaw in the setup phase guard — the Default.aspx setup endpoint remains accessible after initial installation, allowing re-execution of the administrator creation step without authentication.
  • ·Affected versions are Dynamicweb 9.5.0 through 9.12.7; fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.