CVE-2025-2749

Published: Mar 24, 2025Modified: Apr 21, 2026CISA KEV

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: disclosure@vulncheck.com (Secondary)

Description

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

Affected (1)

Products: Kentico: Xperience

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kentico Xperience	Up to 13.0.178

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://devnet.kentico.com/download/hotfixes

Source: disclosure@vulncheck.com

Patch

https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/

Source: disclosure@vulncheck.com

ExploitThird Party Advisory

https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce

Source: disclosure@vulncheck.com

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.