CVE-2025-2749

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://devnet.kentico.com/download/hotfixes	Patch
https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce

Configurations

Configuration 1 (hide)

cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*

History

04 Nov 2025, 23:15

Type	Values Removed	Values Added
References		() https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce -

Information

Published : 2025-03-24 19:15

Updated : 2025-11-04 23:15

NVD link : CVE-2025-2749

Mitre link : CVE-2025-2749

CVE.ORG link : CVE-2025-2749

JSON object : View

Products Affected

kentico

xperience

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-2749", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2025-03-24T19:15:52.400", "references": [{"url": "https://devnet.kentico.com/download/hotfixes", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce", "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178."}, {"lang": "es", "value": "Una ejecuci\u00f3n remota de c\u00f3digo autenticada en Kentico Xperience permite a los usuarios autenticados del servidor de sincronizaci\u00f3n de pruebas cargar datos arbitrarios en ubicaciones path traversal. Esto provoca la navegaci\u00f3n de la ruta y la carga de archivos arbitrarios, incluyendo contenido que puede ejecutarse en el servidor, lo que provoca la ejecuci\u00f3n remota de c\u00f3digo. Este problema afecta a Kentico Xperience hasta la versi\u00f3n 13.0.178."}], "lastModified": "2025-11-04T23:15:34.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC749CC3-7A20-49C8-89FB-775818670734", "versionEndIncluding": "13.0.178"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}