Oleg Nefyodov, the leader of the cybercrime group Black Basta, detained in Armenia, took advantage of the court delay and fled, causing international outcry.
61 
The critical 0-day vulnerability CVE-2025-0364 in BigAnt Server allows attackers to execute arbitrary code without authentication via the SaaS registration chain and PHP file upload. The vulnerability affects all versions of the enterprise chat platform up to 5.6.06 on Windows and allows for complete control over the system.
VulnCheck researchers discovered that the BigAnt SaaS portal by default allows organizational account registration via CAPTCHA. Attackers use this mechanism to create an administrative account in an organization they control.
Next, through insufficiently protected session variables, attackers obtain the UUID for SaaS activation, change the session context, and gain access to the Cloud Drive. The lack of authentication checks allows them to upload PHP scripts without restrictions, which are then executed with NT AUTHORITY\SYSTEM system privileges.
The vulnerability arose due to a number of architectural errors:
- Insecure settings – SaaS portal is active by default without installation protection.
- Session management issues – UUID leak via API.
- Lack of file validation – PHP upload to Cloud Drive without authentication.
The previous CVE-2024-54761 required administrative access, while the new 0-day works without authorization, which raises questions about the accuracy of the CVSS assessment. As of March 2025, BigAntSoft has not yet released a patch.
61 
62 
82