cbcvebase.
CVE-2019-10068
published 2019-03-26

CVE-2019-10068: An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
96.03%
99.9th percentile
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.

Affected

4 ranges
VendorProductVersion rangeFixed in
kenticoxperience>= 10.0.0 < 10.0.5210.0.52
kenticoxperience>= 11.0.0 < 11.0.4811.0.48
kenticoxperience>= 12.0.0 < 12.0.1512.0.15
kenticoxperience9.0.0 – 9.0.51

Detection & IOCsextracted from sources · hover to see the quote

path/CMSPages/Staging/SyncServer.asmx/ProcessSynchronizationTaskData
sigma
HTTP POST to /CMSPages/Staging/SyncServer.asmx/ProcessSynchronizationTaskData returning HTTP 500 followed by HTTP 200
  • Look for HTTP POST requests to /CMSPages/Staging/SyncServer.asmx/ProcessSynchronizationTaskData with Content-Type: application/x-www-form-urlencoded and a body containing the 'stagingTaskData' parameter carrying a serialized SOAP envelope with WindowsIdentity/ClaimsIdentity payloads.
  • Exploitation produces a response body containing 'System.InvalidCastException' and 'System.Web.Services.Protocols.SoapException' with HTTP status 500 on the initial probe request, followed by a successful HTTP 200 on the actual exploit request.
  • ·The vulnerability affects Kentico versions 9.x, 10.0.x before 10.0.52, 11.0.x before 11.0.48, and 12.0.x before 12.0.15. Detection rules targeting the SyncServer.asmx endpoint should be scoped to these version ranges to reduce false positives on patched systems.
  • ·The exploit bypasses authentication entirely; network-layer controls or authentication-based detections will not catch this attack. Detection must focus on the unauthenticated POST to the staging endpoint and resulting W3WP.EXE child process activity.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.