← back
CVE-2025-2747

Kentico Xperience <= 13.0.178 Staging Sync Server None Password Type Authentication Bypass

CVSS 9.8 CRITICALEPSS 92.2%● KEVCWE-288
In short

Kentico Xperience has a flaw where the Staging Sync Server component fails to properly authenticate connections when a server is configured with a 'None' password type, allowing attackers to bypass authentication and gain administrative control without valid credentials.

Technical detail

The Staging Sync Server component in Kentico Xperience through version 13.0.178 fails to enforce authentication when a server uses the 'None' password type, enabling unauthenticated attackers to bypass authentication mechanisms and manipulate administrative objects through the staging synchronization interface.

Summary generated and translated by AI from the official description.
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Kentico · Xperience
public PoCs found2
cve_referencegithub.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011unverifiedcve_referencelabs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://devnet.kentico.com/download/hotfixeshttps://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2747https://www.vulncheck.com/advisories/kentico-xperience-staging-sync-server-none-password-type-authentication-bypass