CVE Alert: CVE-2025-2746 - Kentico - Xperience

CVE-2025-2746

CRITICALCISA KEVExploitation active

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.

CVSS v3.1 (9.8)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

Kentico

Product

Xperience

Versions

0 lte 13.0.172

CWE

CWE-288, CWE-288 Authentication Bypass Using an Alternate Path or Channel

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published

2025-03-24T18:16:04.022Z

Updated

2025-10-20T16:20:23.688Z

References

https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/

https://devnet.kentico.com/download/hotfixes

https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011

CISA KEV reference

AI Summary Analysis

Risk verdict

Critical remote authentication bypass is being actively exploited; treat as priority 1.

Why this matters

An unauthenticated attacker can bypass access controls and take administrative control via the Staging Sync Server, enabling full manipulation of administrative objects. With network-level access and no user interaction required, impact includes configuration tampering, data exposure, and potential persistence within the admin surface.

Most likely attack path

Attack relies on network access to the Staging Sync Server, exploiting the digest auth flow with empty SHA1 usernames to bypass authentication. No privileges are required to start, and the attacker can directly access and modify administrative objects, enabling lateral or objects-level manipulation within the app’s staging ecosystem.

Who is most exposed

Deployments exposing the Staging Sync Server to untrusted networks or internet-facing ingress are at greatest risk. This is common in on-prem or cloud setups that integrate staging workflows with public access or weak network segmentation.

Detection ideas

Look for repeated unauthorised attempts to access admin endpoints via Staging Sync Server.
Alerts on authentication bypass indicators and abnormal digest-auth events with empty usernames.
Unusual creation/modification of admin objects or orphaned/admin changes outside maintenance windows.
Logs showing outbound or anomalous traffic to staging endpoints from unexpected hosts.
Sudden surge in administrative activity after baseline stability.

Mitigation and prioritisation

Apply patched build or hotfix to close the bypass; upgrade to vendor-supported version.
Restrict Staging Sync Server access to trusted networks and apply strong network segmentation.
Disable or harden digest authentication where feasible; implement MFA for admin surfaces.
Implement compensating controls: WAF rules, IP allowlists, and rigorous change-control.
If KEV is active or exploitation is widespread, treat as priority 1; synchronise remediation with change-management windows.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-2746, kentico, OSINT, threatintel, xperience