CVE-2025-2749
Kentico Xperience <= 13.0.178 Staging Media File Upload Authenticated RCE
In short
An authenticated user with Staging Sync Server access in Kentico Xperience can upload files to unintended locations on the server, potentially placing executable code that runs on the server. This allows attackers with valid credentials to take control of the affected system.
Technical detail
Authenticated path traversal vulnerability in Kentico Xperience ≤13.0.178 Staging Sync Server allows users to upload arbitrary files to attacker-controlled paths via insufficient input validation (CWE-22, CWE-434). Successful exploitation results in arbitrary file write and remote code execution with server privileges; requires valid authentication credentials.
Summary generated and translated by AI from the official description.
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Kentico · Xperiencepublic PoCs found — 1
cve_referencelabs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://devnet.kentico.com/download/hotfixeshttps://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce