Warning: Multiple Critical & High vulnerabilities in Kentico Xperience can lead to Remote Code Execution, Patch Immediately!

Image
Decorative image
Published : 25/03/2025

 

    * Last update:  25/03/2025
    * Affected software:: Kentico Xperience versions up to 13.0.178
    * Type: Improper Authentication, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    * CVE/CVSS
        → CVE-2025-2746: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
        → CVE-2025-2747: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
        → CVE-2025-2749: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
 

 

Sources

https://devnet.kentico.com/download/hotfixes

https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011

https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
 

Risks

Kentico Xperience is a Digital eXperience Platform (DXP) for content management (CMS) and digital marketing, which is widely used in Belgium. Various vulnerabilities affecting the staging Sync Server component of Kentico Xperience have recently been published. They impact all the versions before 13.0.179.

Exploiting CVE-2025-2746 or CVE-2025-2747 could allow threat actors to bypass password authentication in the staging Sync Server component, which could escalate to gaining unauthorized administrative access.

Exploiting CVE-2025-2749 can allow threat actors to upload arbitrary files to any path location of the program, which could escalate to remote code execution.

All three vulnerabilities have a high impact on all three aspects of the CIA triad (confidentiality, integrity, and availability).

As of the time of the publication of this advisory, there is no evidence of a proof of concept or exploitation.

Description

CVE-2025-2746:

A remote attacker without privileges can gain administrative privileges and control admin objects by exploiting the improper authentication in the password handling of empty SHA1 usernames in the Staging Sync Server.

CVE-2025-2747:

A remote attacker without privileges can gain administrative privileges and control admin objects by exploiting the improper authentication in the password handling for the type “None” as defined by the Staging Sync Server.

CVE-2025-2749:

A remote attacker with high privileges can upload arbitrary files to any location and execute path traversal by exploiting this improper limitation of a pathname to a restricted directory vulnerability. This can allow the attacker to execute code remotely on the server side, which can lead to complete system compromise.

Recommended Actions

Patch 

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. Specifically, it is advised to upgrade to 13.0.173 (for WT-2025-0006) and 13.0.178 (for WT-2025-0011). If you cannot patch immediately, disable the Staging Service as this action provides temporary protection.

Monitor/Detect 

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2746

https://nvd.nist.gov/vuln/detail/CVE-2025-2747

https://nvd.nist.gov/vuln/detail/CVE-2025-2749