CVE-2025-2749

7.2

HIGH CVSS 3.1

Kentico Xperience Path Traversal Vulnerability - [Actively Exploited]

Overview

Description

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

Details

INFO

Published Date :

March 24, 2025, 7:15 p.m.

Last Modified :

April 21, 2026, 12:48 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]

CISA Notification

CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Due Date: May 04, 2026 | 4 days left

Alert Date: Apr 20, 2026 | 9 days ago

Description :

Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2749

Impact

Affected Products

The following products are affected by CVE-2025-2749 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product	Action
1	Kentico	xperience

: Total Affected Vendor : 1 | Products : 1

Scoring

CVSS Scores

The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.

Score	Version	Severity	Vector	Exploitability Score	Impact Score	Source
	CVSS 3.1	HIGH				[email protected]

Solution

Update Kentico Xperience to a version that addresses the path traversal and arbitrary file upload vulnerability.

Update Kentico Xperience to the latest version.
Apply vendor security patches promptly.
Restrict access to staging sync server functionality.
Validate all uploaded file types and content.

Public PoC/Exploit Available at Github

CVE-2025-2749 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-2749.

URL	Resource
https://devnet.kentico.com/download/hotfixes	Patch
https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce	Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749	US Government Resource

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-2749 is associated with the following CWEs:

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-434: Unrestricted Upload of File with Dangerous Type

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-2749 weaknesses.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic Using Slashes and URL Encoding Combined to Bypass Validation Logic CAPEC-76: Manipulating Web Input to File System Calls Manipulating Web Input to File System Calls CAPEC-78: Using Escaped Slashes in Alternate Encoding Using Escaped Slashes in Alternate Encoding CAPEC-79: Using Slashes in Alternate Encoding Using Slashes in Alternate Encoding CAPEC-126: Path Traversal Path Traversal CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs Accessing Functionality Not Properly Constrained by ACLs

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

DevGreick/devgreick

None

Python

Updated: 4 days, 9 hours ago

1 stars 0 fork 0 watcher

Born at : Oct. 29, 2024, 8:10 p.m. This repo has been linked 10 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-2749 vulnerability anywhere in the article.

TheCyberThrone

CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog

CISA expanded its Known Exploited Vulnerabilities (KEV) catalog on April 20, 2026, adding eight security flaws spanning enterprise print management, CI/CD platforms, CMS infrastructure, appliance mana ...