Two critical vulnerabilities in Kentico Xperience, tracked as CVE-2025-2746 and CVE-2025-2747, have been actively exploited in the wild, prompting urgent action from security teams. Both vulnerabilities, which carry a CVSS score of 9.8, allow attackers to bypass authentication mechanisms, potentially granting them control over administrative objects within the CMS.
CVE-2025-2746 involves an authentication bypass via the Staging Sync Server's handling of empty SHA1 usernames in digest authentication. This flaw affects all versions of Kentico Xperience up to version 13. Similarly, CVE-2025-2747 exploits a weakness in the Staging Sync Server component's password handling for the server-defined None type, affecting versions up to 13.0.178.
The vulnerabilities were initially disclosed on March 24, 2025, and have since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of October 20, 2025. The Exploit Prediction Scoring System (EPSS) rates these vulnerabilities at 0.843 and 0.894, respectively, indicating a high likelihood of exploitation. The time to exploit in the wild was recorded at just over 209 days from disclosure, underscoring the urgency for patching.
Organizations using Kentico Xperience should prioritize applying the latest security updates to mitigate these risks. Given the critical nature of these vulnerabilities and their active exploitation, defenders should also review access logs for any signs of unauthorized access and strengthen their authentication mechanisms where possible.
CSURFACE