CVE-2025-0364
📋 TL;DR
BigAntSoft BigAnt Server up to version 5.6.06 allows unauthenticated remote attackers to create administrative accounts through the default SaaS registration mechanism. Once an administrator, attackers can upload and execute arbitrary PHP code via the Cloud Storage Addin, leading to complete system compromise. All organizations running vulnerable versions with internet-facing instances are affected.
💻 Affected Systems
- BigAntSoft BigAnt Server
📦 What is this software?
Bigant Server by Bigantsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with persistent backdoor installation, data exfiltration, and lateral movement across the network.
Likely Case
Unauthenticated attackers gain administrative access and execute arbitrary code, potentially deploying ransomware, cryptocurrency miners, or establishing command and control channels.
If Mitigated
Attackers can still create administrative accounts but cannot execute code due to proper access controls and monitoring.
🎯 Exploit Status
Proof-of-concept exploit code is publicly available. Exploitation requires two steps: account creation then code upload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. Upgrade to version beyond 5.6.06 when available. 3. Apply patch if released.
🔧 Temporary Workarounds
Disable SaaS Registration
allDisable the default SaaS registration mechanism to prevent unauthenticated account creation.
Modify BigAnt Server configuration to disable SaaS registration (specific commands depend on installation)
Disable Cloud Storage Addin
allDisable the Cloud Storage Addin to prevent PHP code upload and execution.
Remove or disable Cloud Storage Addin from BigAnt Server administration panel
🧯 If You Can't Patch
- Network segmentation: Isolate BigAnt Server from internet and restrict internal access.
- Implement strict firewall rules: Block all external access to BigAnt Server except from trusted IPs.
🔍 How to Verify
Check if Vulnerable:
Check BigAnt Server version via administration panel or configuration files. If version is 5.6.06 or earlier, system is vulnerable.Check Version:
Check BigAnt Server administration panel or configuration files for version information.Verify Fix Applied:
Verify SaaS registration is disabled and Cloud Storage Addin is removed/disabled. Test if unauthenticated account creation is possible.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated account creation events
- Administrative user creation from unknown IPs
- PHP file uploads via Cloud Storage Addin
Network Indicators:
- HTTP POST requests to registration endpoints from external IPs
- Unusual file uploads to Cloud Storage endpoints
SIEM Query:
source="bigant" AND (event="user_creation" OR event="file_upload") AND user="unauthenticated"