Advisory: Dynamicweb Logic Flaw Leading to RCE (CVE-2022-25369)

Feb 20, 2022


An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again.


Once an attacker is authenticated as the new admin user they have added, it is possible to upload a web shell and achieve command execution.

Version Tested Against

DynamicWeb 9.12.6

Product Description

Dynamicweb offers a cloud based eCommerce suite. Dynamicweb enables customers to deliver better digital customer experiences and to scale ecommerce success through our Content Management, Digital Marketing, Ecommerce, and Product Information Management solutions.


Hotfixed versions that contain a fix can be found below:

  • Dynamicweb 9.5.9
  • Dynamicweb 9.6.16
  • Dynamicweb 9.7.8
  • Dynamicweb 9.8.11
  • Dynamicweb 9.9.
  • Dynamicweb 9.10.18
  • Dynamicweb 9.12.8
  • Dynamicweb 9.13.0+

Vulnerabilities[email protected]&adminname=test

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


Assetnote Security Research Team


The timeline for this disclosure process can be found below:

  • Jan 21st, 2022: Disclosure of pre-auth bug to add admin user
  • Jan 21st, 2022: Confirmation and fix information from Dynamicweb CTO
  • Jan 24th, 2022: Fixes rolled out to Dynamicweb customers
  • Feb 24th, 2022: Published advisory and blog post

See Assetnote in action

Find out how Assetnote can help you lock down your external attack surface.

Use the lead form below, or alternatively contact us via email by clicking here.