CVE-2022-25369
published 2026-01-23CVE-2022-25369: An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.74%
98.5th percentile
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).
Detection & IOCsextracted from sources · hover to see the quote
url/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&[email protected]&adminname=test
path/Admin/Access/Setup/Default.aspx
- →Detect unauthenticated GET requests to /Admin/Access/Setup/Default.aspx with the query parameter Action=createadministrator; a successful exploitation returns HTTP 200 with a JSON body containing '"Success": true' or '"Success":true' and a Content-Type of application/json.
- →Shodan query 'http.component:"Dynamicweb"' can be used to identify internet-exposed Dynamicweb instances potentially vulnerable to this CVE.
- →After creating the rogue admin account, attackers follow up by uploading an executable file to achieve command execution — monitor for unusual file uploads (e.g., .aspx/.exe) via the Dynamicweb admin panel from newly created admin accounts. ↗
- ·The vulnerability is a logic flaw in the setup phase guard — the Default.aspx setup endpoint remains accessible after initial installation, allowing re-execution of the administrator creation step without authentication. ↗
- ·Affected versions are Dynamicweb 9.5.0 through 9.12.7; fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4p27-wx99-rf43: An issue was discovered in Dynamicweb before 9
ghsa_unreviewed·2026-01-23
CVE-2022-25369 [CRITICAL] CWE-287 GHSA-4p27-wx99-rf43: An issue was discovered in Dynamicweb before 9
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).
VulnCheck
Dynamicweb Logic Flaw Leading to Remote Code Execution
vulncheck·2022·CVSS 9.8
CVE-2022-25369 [CRITICAL] Dynamicweb Logic Flaw Leading to Remote Code Execution
Dynamicweb Logic Flaw Leading to Remote Code Execution
Dynamicweb logic flaw remote code execution
Affected: Dynamicweb Dynamicweb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2022-25369; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2022-25369; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-16&host_type=src&vulnerability=cve-2022-25369; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11
CISA
Samsung Mobile Devices Improper Access Control Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25337 [MEDIUM] CWE-269 Samsung Mobile Devices Improper Access Control Vulnerability
Vulnerability: Samsung Mobile Devices Improper Access Control Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices contain an improper access control vulnerability in clipboard service which allows untrusted applications to read or write arbitrary files. This vulnerability was chained with CVE-2021-25369 and CVE-2021-25370.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25337
Remediation Due Date: 2022-11-29
CISA
Samsung Mobile Devices Memory Corruption Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25370 [MEDIUM] CWE-416 Samsung Mobile Devices Memory Corruption Vulnerability
Vulnerability: Samsung Mobile Devices Memory Corruption Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices using Mali GPU contain an incorrect implementation handling file descriptor in dpu driver. This incorrect implementation results in memory corruption, leading to kernel panic. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25369.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25370
Remediation Due Date: 2022-11-29
CISA
Samsung Mobile Devices Improper Access Control Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25369 [MEDIUM] CWE-200 Samsung Mobile Devices Improper Access Control Vulnerability
Vulnerability: Samsung Mobile Devices Improper Access Control Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25370.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25369
Remediation Due Date: 2022-11-29
No detection rules found.
Nuclei
Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation
nuclei·CVSS 9.8
CVE-2022-25369 [CRITICAL] Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation
Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation
Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user.
Template:
id: CVE-2022-25369
info:
name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation
author: pdteam
severity: critical
description: Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user.
impact: |
Unauthenticated attackers can create administrative user accounts through the unprotected Default.aspx endpoint, gaining complete control over the Dynamicweb CMS, its content, and potentially the underlying system.
remediation: |
Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.
2026-01-23
Published
Exploited in the wild