Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-2749

CVE-2025-2749: Kentico Xperience RCE Vulnerability

CVE-2025-2749 is a remote code execution vulnerability in Kentico Xperience affecting authenticated users. Attackers can upload arbitrary files via path traversal, leading to server-side code execution. Learn about affected versions, impact, and mitigation.

Published:

CVE-2025-2749 Overview

CVE-2025-2749 is an authenticated remote code execution vulnerability in Kentico Xperience, a .NET-based digital experience platform. The flaw resides in the Staging Sync Server component, which fails to validate file paths during synchronization upload operations. Authenticated users can submit crafted requests that write arbitrary files to path-relative locations outside the intended directory. Attackers can place server-executable content such as .aspx files within the web root, achieving remote code execution under the application worker process. The vulnerability affects Kentico Xperience through version 13.0.178 and is tracked under [CWE-22] Path Traversal. CISA added CVE-2025-2749 to the Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation against internet-facing instances.

Critical Impact

Authenticated attackers can upload arbitrary executable content through the Staging Sync Server, achieving full remote code execution on the web server.

Affected Products

  • Kentico Xperience versions through 13.0.178
  • Kentico Xperience Staging Sync Server component
  • Internet-facing Kentico Xperience CMS deployments

Discovery Timeline

  • 2025-03-24 - CVE-2025-2749 published to the National Vulnerability Database
  • 2026-04-21 - Last updated in NVD database

Technical Details for CVE-2025-2749

Vulnerability Analysis

The vulnerability stems from insufficient path validation in the Kentico Xperience Staging Sync Server. The Staging Sync Server accepts synchronization payloads that include file content and destination paths. The server resolves these destination paths relative to a base directory but does not normalize or constrain traversal sequences. Attackers with valid Staging Sync credentials can submit payloads containing ..\ sequences to escape the intended upload directory.

The issue is compounded by the absence of file extension filtering. Attackers can write executable server-side files such as .aspx, .ashx, or .asmx into web-accessible paths. The IIS worker process then compiles and executes these files when requested, granting code execution under the application pool identity. The EPSS score of 3.81% with an 88.6 percentile reflects the elevated likelihood of exploitation activity. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world abuse.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The Staging Sync Server concatenates attacker-supplied path components with the target base directory without canonicalization. Directory traversal sequences are preserved through to the file write operation, allowing arbitrary placement on disk.

Attack Vector

Exploitation requires Staging Sync Server credentials, which in many deployments use default or weakly protected configurations. The attacker submits a crafted synchronization request over HTTP or HTTPS to the staging endpoint. The request body specifies a relative path containing traversal sequences and the file content to write. The server writes the payload to the calculated path, after which the attacker requests the uploaded file via the web server to trigger execution. See the WatchTowr Pre-Auth RCE Analysis and the VulnCheck Kentico RCE Advisory for in-depth technical analysis of the exploit chain.

Detection Methods for CVE-2025-2749

Indicators of Compromise

  • Unexpected .aspx, .ashx, or .asmx files appearing in Kentico web directories outside of standard application paths
  • HTTP POST requests to Staging Sync Server endpoints such as /CMSPages/Staging/SyncServer.asmx containing path traversal sequences (..\ or %2e%2e%5c)
  • Outbound network connections initiated by the IIS worker process (w3wp.exe) to unfamiliar destinations
  • New child processes spawned by w3wp.exe such as cmd.exe, powershell.exe, or rundll32.exe

Detection Strategies

  • Inspect web server access logs for requests to staging synchronization endpoints originating from non-trusted IP ranges
  • Monitor file system changes in Kentico application directories using integrity monitoring tools
  • Alert on creation of server-executable file extensions in directories that should contain only static content
  • Correlate authentication events against the staging account with file write operations on the host

Monitoring Recommendations

  • Enable detailed IIS request logging including request bodies for the Staging Sync Server endpoints
  • Deploy endpoint detection and response telemetry to capture process lineage from w3wp.exe
  • Forward web server, file system, and process telemetry to a centralized analytics platform for cross-source correlation
  • Establish a baseline of expected staging synchronization activity and alert on deviations

How to Mitigate CVE-2025-2749

Immediate Actions Required

  • Apply the Kentico hotfix that updates Xperience beyond version 13.0.178 from the Kentico Hotfix Downloads portal
  • Rotate Staging Sync Server credentials and disable any default or shared accounts
  • Restrict network access to staging synchronization endpoints to known synchronization peers only
  • Audit the web root for unexpected executable files created prior to patching

Patch Information

Kentico has released hotfixes addressing CVE-2025-2749. Administrators should download the latest hotfix package from Kentico Hotfix Downloads and apply it to all Kentico Xperience 13 instances. Validate the installed build number after patching to confirm remediation. Refer to the CISA CVE-2025-2749 Exploit Catalog entry for federal remediation deadlines.

Workarounds

  • Disable the Staging Sync Server feature in environments where content synchronization is not required
  • Place the Staging Sync Server endpoint behind a web application firewall rule blocking path traversal patterns in request bodies
  • Restrict the IIS application pool identity to minimum required file system permissions to limit blast radius
  • Enforce IP allowlisting on staging endpoints at the network or reverse proxy layer
bash
# Example WAF rule pattern to block traversal in staging requests
# ModSecurity-style rule (illustrative)
SecRule REQUEST_URI "@contains /CMSPages/Staging/" \
    "chain,deny,status:403,id:1002749,msg:'Kentico staging path traversal attempt'"
    SecRule REQUEST_BODY "@rx (\.\./|\.\.\\|%2e%2e(%2f|%5c))" "t:lowercase"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne