CVE-2025-32370 Overview
CVE-2025-32370 is a critical unrestricted file upload vulnerability affecting Kentico Xperience CMS versions prior to 13.0.178. While the ContentUploader component enforces a specific set of allowed file extensions for unauthenticated uploads, the ZIP file processing functionality through TryZipProviderSafe can be exploited to create files with arbitrary extensions, effectively bypassing the upload restrictions.
Critical Impact
Unauthenticated attackers can exploit the ZIP processing functionality to upload arbitrary file types, potentially leading to remote code execution on vulnerable Kentico Xperience installations.
Affected Products
- Kentico Xperience versions prior to 13.0.178
- Kentico Xperience CMS installations with default ContentUploader configuration
- Systems with unauthenticated file upload functionality enabled
Discovery Timeline
- 2025-04-06 - CVE-2025-32370 published to NVD
- 2025-04-08 - Last updated in NVD database
Technical Details for CVE-2025-32370
Vulnerability Analysis
This vulnerability represents an unrestricted file upload flaw (CWE-434) combined with hidden functionality concerns (CWE-912). The Kentico Xperience ContentUploader component implements file extension restrictions to prevent malicious file uploads from unauthenticated users. However, the implementation contains a critical flaw in how ZIP archives are processed.
When a .zip file is uploaded, it passes through the TryZipProviderSafe function, which extracts the contents of the archive. The extracted files are written to the file system without proper validation of their extensions, allowing attackers to bypass the original upload restrictions. This means an attacker can package a malicious file (such as an ASPX web shell) inside a ZIP archive and have it extracted with its original dangerous extension intact.
The vulnerability enables unauthenticated remote attackers to upload arbitrary files to the server, which can lead to complete system compromise through web shell deployment or other malicious payloads.
Root Cause
The root cause stems from inconsistent security controls between the initial upload validation and the post-upload ZIP extraction process. While the ContentUploader enforces extension allowlists at the upload stage, the TryZipProviderSafe function does not apply equivalent restrictions when extracting files from ZIP archives. This architectural oversight creates a bypass path that undermines the intended security controls.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by crafting a ZIP archive containing malicious files with dangerous extensions (such as .aspx, .ashx, or other executable content types). By uploading this ZIP file through the ContentUploader endpoint, the attacker triggers the extraction process, which writes the malicious files to the web server's file system with their original extensions preserved, enabling subsequent remote code execution.
The vulnerability exploitation follows a straightforward pattern: an attacker creates a ZIP archive containing a web shell or other malicious payload, uploads it to the vulnerable ContentUploader endpoint, and then accesses the extracted malicious file to execute arbitrary code on the server.
Detection Methods for CVE-2025-32370
Indicators of Compromise
- Unexpected ZIP file uploads to ContentUploader endpoints from unauthenticated sources
- Newly created ASPX, ASHX, or other executable files in upload directories following ZIP extraction
- Web shell indicators such as unusual ASP.NET files with generic names in media or upload folders
- Anomalous outbound connections from IIS worker processes
Detection Strategies
- Monitor ContentUploader endpoint access logs for suspicious ZIP file uploads from untrusted IP addresses
- Implement file integrity monitoring on web application directories to detect newly created executable files
- Deploy web application firewall (WAF) rules to inspect ZIP upload payloads for embedded dangerous file types
- Configure IIS logging to capture detailed request information for forensic analysis
Monitoring Recommendations
- Enable verbose logging on Kentico Xperience file upload operations
- Implement real-time alerting for new executable file creation in web directories
- Monitor for process spawning from IIS application pools that may indicate web shell activity
- Review authentication logs for patterns of unauthenticated access to upload functionality
How to Mitigate CVE-2025-32370
Immediate Actions Required
- Upgrade Kentico Xperience to version 13.0.178 or later immediately
- Restrict access to ContentUploader endpoints at the network level if immediate patching is not possible
- Audit existing upload directories for any suspicious files that may have been uploaded
- Implement application-layer controls to block ZIP file uploads until patching is complete
Patch Information
Kentico has released a hotfix addressing this vulnerability in version 13.0.178. Organizations should download and apply the latest hotfix from the Kentico Hotfix Downloads page. The patch implements proper file extension validation during ZIP extraction, ensuring that dangerous file types cannot be created through the archive extraction process.
For detailed technical analysis of related vulnerabilities in Kentico Xperience, refer to the Watchtowr Labs security research.
Workarounds
- Disable unauthenticated file upload functionality in Kentico Xperience administration settings
- Implement network-level access controls to restrict ContentUploader endpoint access to trusted IP ranges
- Configure web server to block execution of uploaded files by removing handler mappings for upload directories
- Deploy a web application firewall with rules to inspect and block malicious ZIP archive contents
# IIS Configuration - Disable script execution in upload directories
# Add to web.config in the upload directory
# <configuration>
# <system.webServer>
# <handlers>
# <remove name="aspNetCore"/>
# <remove name="PageHandlerFactory-ISAPI-4.0_64bit"/>
# <remove name="PageHandlerFactory-ISAPI-4.0_32bit"/>
# <remove name="PageHandlerFactory-Integrated-4.0"/>
# </handlers>
# </system.webServer>
# </configuration>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
