RCE Vulnerability in Dynamicweb Enterprise Software Could Allow Server Compromise

‘Extremely easy to exploit’ bug introduced to codebase in 2018, researchers say

A vulnerability in Dynamicweb could allow an unauthenticated attacker to compromise a victim’s server, researchers have warned.

Dynamicweb is a popular business suite that provides services such as content management, digital marketing, and e-commerce solutions.

The vulnerability, discovered by researchers at AssetNote, could allow a malicious actor to gain privileges and execute code, compromising the application and the server.

It was detailed in a blog post by AssetNote, which was published recently.

Learn about the latest security vulnerabilities news

“An unauthenticated attacker can add a new administrator user with full administrative access to the Dynamicweb e-commerce installation,” said Shubham Shah, who found the bug. The daily sip.

“Once the attacker has this admin access, it is possible to download a web shell and run the command. This would lead to a full application and server compromise.

‘Extremely easy’

The vulnerability “was hard to find, but is extremely easy to exploit,” Shah said.

It was first introduced to the codebase in 2018 and was not fixed until AssetNote disclosed the bug in February 2022.

Dynamicweb branch 9.x users have been “most likely vulnerable since 2018,” said Shah, who added that he was unaware of the extent of unpatched users.

AssetNote reported the bug to Dynamicweb, which has since released a number of fixes for the issue. Users are advised to update to a fixed version as soon as possible.

RECOMMENDED Google WAF bypassed via oversized POST requests