CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27422: FACTION Allows Authentication Bypass via User Creation

7.5 CVSS

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3.

Classification

CVE ID: CVE-2025-27422

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-287: Improper Authentication

Affected Products

Vendor: factionsecurity

Product: faction

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 22.19% (scored less or equal to compared to others)

EPSS Date: 2025-04-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27422
https://github.com/factionsecurity/faction/security/advisories/GHSA-97cv-f342-v2jc
https://github.com/factionsecurity/faction/commit/0a6848d388d6dba1c81918cce2772b1e805cd3d6

Timeline

2025-03-03 17:40:21 UTC
CVE

FACTION Allows Authentication Bypass via User Creation