CVE-2025-0364 Overview
CVE-2025-0364 is a critical unauthenticated remote code execution vulnerability affecting BigAntSoft BigAnt Server versions up to and including 5.6.06. This vulnerability allows an unauthenticated remote attacker to create an administrative user through the default exposed SaaS registration mechanism. Once administrative access is obtained, the attacker can upload and execute arbitrary PHP code using the "Cloud Storage Addin," leading to complete system compromise.
Critical Impact
This vulnerability enables unauthenticated attackers to achieve full remote code execution on affected BigAnt Server installations by exploiting the default SaaS registration mechanism to create admin accounts and subsequently upload malicious PHP files.
Affected Products
- BigAntSoft BigAnt Server versions up to and including 5.6.06
- All deployments with default SaaS registration mechanism enabled
- Systems with the Cloud Storage Addin functionality accessible
Discovery Timeline
- 2025-02-04 - CVE-2025-0364 published to NVD
- 2025-09-29 - Last updated in NVD database
Technical Details for CVE-2025-0364
Vulnerability Analysis
This vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The core issue stems from a fundamental design flaw in how BigAnt Server handles user registration and administrative access controls. The server exposes a SaaS registration mechanism by default that allows anyone to create user accounts, including administrative accounts, without proper authorization checks.
The attack chain involves two distinct phases. First, an attacker exploits the exposed registration endpoint to create an account with administrative privileges. Second, the attacker leverages the administrative access to upload arbitrary PHP code through the Cloud Storage Addin functionality. Since the server executes uploaded PHP files without proper validation or sandboxing, this results in arbitrary code execution with the privileges of the web server process.
Root Cause
The root cause of this vulnerability is the lack of proper access controls on the SaaS registration mechanism combined with insufficient validation of uploaded files through the Cloud Storage Addin. The registration endpoint fails to verify that account creation requests are authorized, and the file upload functionality does not prevent execution of uploaded PHP scripts.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability remotely by:
- Identifying a vulnerable BigAnt Server instance exposed to the network
- Accessing the SaaS registration endpoint to create an administrative account
- Authenticating with the newly created admin credentials
- Uploading a malicious PHP webshell or payload through the Cloud Storage Addin
- Executing the uploaded PHP file to achieve code execution on the server
The vulnerability requires no special privileges and can be exploited with low attack complexity. For detailed technical information about the exploitation mechanism, refer to the Vulncheck Advisory and the GitHub PoC repository.
Detection Methods for CVE-2025-0364
Indicators of Compromise
- Unexpected administrative accounts created in BigAnt Server user management
- PHP files appearing in Cloud Storage directories that were not legitimately uploaded
- Suspicious outbound network connections from the BigAnt Server process
- Web server logs showing requests to newly created PHP files in storage directories
Detection Strategies
- Monitor BigAnt Server logs for unauthorized account creation events, particularly administrative accounts
- Implement file integrity monitoring on directories accessible through the Cloud Storage Addin
- Deploy network-based intrusion detection rules to identify exploitation attempts against the registration endpoint
- Review web server access logs for unusual patterns of account creation followed by file uploads
Monitoring Recommendations
- Enable verbose logging on BigAnt Server to capture registration and file upload events
- Configure alerts for new administrative account creation in the BigAnt Server environment
- Monitor for PHP file creation in storage directories through endpoint detection solutions
- Implement network segmentation monitoring to detect unauthorized lateral movement from compromised servers
How to Mitigate CVE-2025-0364
Immediate Actions Required
- Restrict network access to BigAnt Server to trusted networks only until patching is complete
- Disable or restrict access to the SaaS registration mechanism if not required
- Review existing user accounts for any unauthorized administrative accounts and remove them
- Audit Cloud Storage directories for suspicious PHP files and remove any malicious uploads
Patch Information
Organizations should contact BigAntSoft directly for information about security patches addressing CVE-2025-0364. Monitor the vendor's official channels for security updates. Review the Vulncheck Advisory for the latest remediation guidance.
Workarounds
- Implement network-level access controls to restrict access to the BigAnt Server registration endpoints
- Configure web application firewall rules to block unauthorized requests to the SaaS registration mechanism
- Disable the Cloud Storage Addin functionality if not required for business operations
- Place BigAnt Server behind a reverse proxy with authentication requirements for administrative functions
# Example: Network-level restriction using iptables
# Restrict access to BigAnt Server port to trusted networks only
iptables -A INPUT -p tcp --dport 6660 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6660 -j DROP
# Block access to registration endpoints at the firewall level
# Consult BigAnt Server documentation for specific endpoint paths
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
