CVE-2025-0364

CRITICAL 9.8

BigAntSoft BigAnt Server Account Registration Bypass to File Upload RCE

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. An unauthenticated remote attacker can create an administrative user through the default exposed SaaS registration mechanism. Once an administrator, the attacker can upload and execute arbitrary PHP code using the "Cloud Storage Addin," leading to unauthenticated code execution.

CWE	CWE-288
Vendor	bigantsoft
Product	bigant server
Published	Feb 4, 2025
Last Updated	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for bigantsoft bigant server

Be the first to know when new critical vulnerabilities affecting bigantsoft bigant server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

BigAntSoft / BigAnt Server

0 ≤ 5.6.06

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vulncheck.com: https://vulncheck.com/advisories/big-ant-upload-rce github.com: https://github.com/vulncheck-oss/cve-2025-0364

Credits

Cale Black