Critical flaw in BigAntSoft BigAnt Server enables unauthenticated remote code execution

A critical vulnerability has been discovered in BigAntSoft's BigAnt Server, an on-premises Windows chat server. 

This vulnerability, tracked as CVE-2025-0364 (CVSS score 9.8), enables unauthenticated remote code execution through a chain of exploits involving account registration bypass and PHP file uploads. The vulnerability chain exploits a default exposed SaaS registration functionality that allows attackers to bypass authentication by solving a simple CAPTCHA, create an administrative user, upload malicious PHP files to the Cloud Storage Add-in, and execute these PHP files without authentication requirements. This exploitation path creates a complete attack chain from no authentication to remote code execution with SYSTEM privileges on vulnerable servers.

The exploit involves a sequence of steps: 

• retrieving and solving a CAPTCHA from /index.php/Home/Public/verify, 
• registering a new SaaS organization with the solved CAPTCHA, 
• manipulating session cookies to access administrative features, 
• retrieving organization identifiers from server responses, 
• activating the SaaS organization, 
• authenticating to the add-in SaaS administration interface, 
• uploading a PHP webshell to the cloud drive, 
• triggering the payload by accessing the uploaded file. 

When successful, the exploit grants command execution with NT AUTHORITY\SYSTEM privileges.

The issue affects BigAnt Server version 5.6.06 and earlier versions. At the time of discovery, approximately 50 BigAnt servers were exposed on the internet. This number decreased to around 30 identifiable instances by the time of publication.

Since no official patch is available, organizations should consider disabling SaaS registration functionality, implementing network-level protections to limit access to the BigAnt Server.