CVE-2025-2746
published 2025-03-24CVE-2025-2746: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-11-10
Exploited in the wild
EPSS
58.43%
99.0th percentile
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kentico | xperience | <= 13.0.172 | — |
| msrc | azl3_dnf5_5.1.11-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_dnf5_5.1.11-3_on_azure_linux_3.0 | — | — |
| msrc | cbl2_dnf5_5.0.14-2_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urllabs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2746)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/CMSPages/Staging/SyncServer.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22 3c|http|3a 2f 2f|localhost|2f|SyncWebService|2f|SyncServer|2f|ProcessSynchronizationTaskData|3e 22|"; http.request_body; content:"|3c|soap|3a|Header|3e|"; content:"|3c|wsse|3a|UsernameToken|3e|"; within:300; content:"|3c|wsse|3a|Username|3e|"; within:30; content:"|3c|wsse|3a|Password|20|Type|3d 22 3c|http|3a|//docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0|23|PasswordDigest|3e 22|"; within:200; content:"|3c|wsse|3a|Nonce|3e|"; within:80; content:"|3c|wsu|3a|Created|3e|"; within:80; content:"|3c|ProcessSynchronizationTaskData|20|xmlns|3d 22 3c|http|3a 2f 2f|localhost|2f|SyncWebService|2f|SyncServer|3e 22|"; within:300; reference:cve,2025-2746; reference:url,labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/; classtype:attempted-admin; sid:2061280; rev:1;)
- →Target HTTP POST requests to the exact URI path /CMSPages/Staging/SyncServer.asmx (bsize:33 — exact length match) as the primary fast-pattern indicator.
- →Inspect the SOAPAction header for the ProcessSynchronizationTaskData operation targeting the SyncServer service on localhost.
- →Detect the WS-Security UsernameToken block in the SOAP body with a PasswordDigest type — the exploit abuses an empty SHA1 username in this digest authentication flow.
- →Nuclei template matcher: a successful probe response contains the random probe string and the text/xml content-type, while NOT containing error strings such as 'Site not running', 'SyncServer.ErrorLicense', 'Staging service is not enabled on this server', 'Staging does not work with blank password', or 'Missing X509 certificate token'.
- →The exploit uses the admin username in the WS-Security token for Hotfix >= 173; for versions before Hotfix 173 any username works. Monitor for WS-Security UsernameToken requests with an empty or 'admin' username field.
- →The Snort/ET rule targets plaintext (non-TLS) traffic only; ensure perimeter and internal sensors both cover this traffic as indicated by dual deployment metadata.
- ·The vulnerability only affects Kentico Xperience through version 13.0.172 (Hotfix 172 and below). Hotfix 173 partially mitigates but the bypass still works with the 'admin' username specifically. ↗
- ·The Staging Sync Server feature must be enabled on the target for exploitation to succeed; responses containing 'SyncServer.ErrorServiceNotEnabled' or 'Staging service is not enabled on this server' indicate the attack surface is not exposed.
- ·The ET Snort rule (sid:2061280) only fires on plaintext HTTP; HTTPS-wrapped traffic to the same endpoint will not be detected by this rule and requires TLS inspection.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc8.8HIGH
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
cisa·2025-10-20·CVSS 9.8
CVE-2025-2746 [CRITICAL] CWE-288 Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
Vulnerability: Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
Affected: Kentico Xperience CMS
Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2746
Remediation Due Date: 2025-11-10
Red Hat
kernel: f2fs: fix to avoid panic once fallocation fails for pinfile
vendor_redhat·2025-04-16·CVSS 5.5
CVE-2025-23130 [MEDIUM] kernel: f2fs: fix to avoid panic once fallocation fails for pinfile
kernel: f2fs: fix to avoid panic once fallocation fails for pinfile
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid panic once fallocation fails for pinfile
syzbot reports a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2746!
CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876
Call Trace:
__allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210
f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238
f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830
f2fs_fallocate+0x537/0xa10 fs/f2fs
Microsoft
Incomplete fix for CVE-2024-1929
vendor_msrc·2024-05-14·CVSS 8.8
CVE-2024-2746 [HIGH] CWE-20 Incomplete fix for CVE-2024-1929
Incomplete fix for CVE-2024-1929
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/
GHSA
GHSA-h4vh-mhxh-6rrr: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 u
ghsa_unreviewed·2025-03-24
CVE-2025-2746 [CRITICAL] CWE-287 GHSA-h4vh-mhxh-6rrr: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 u
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.
VulnCheck
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-2746 [CRITICAL] CWE-288 Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.
Affected: Kentico Xperience CMS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/resources/research-reports/global-cybersecurity-report/; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-11-10
Suricata
ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2746)
suricata·2025-04-03·CVSS 9.8
CVE-2025-2746 [CRITICAL] ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2746)
ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2746)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2746)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/CMSPages/Staging/SyncServer.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22 3c|http|3a 2f 2f|localhost|2f|SyncWebService|2f|SyncServer|2f|ProcessSynchronizationTaskData|3e 22|"; http.request_body; content:"|3c|soap|3a|Header|3e|"; content:"|3c|wsse|3a|UsernameToken|3e|"; within:300; content:"|3c|wsse|3a|Username|3e|"; within:30; content:"|3c|wsse|3a|Password|20|Type|3d 22 3c|http|3a|//docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0|23|P
Nuclei
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
nuclei·CVSS 9.8
CVE-2025-2746 [CRITICAL] Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and = 173 and
admin
]]>
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{rand}}"
- ""
condition: and
- type: word
part: body
words:
- "Site not running"
- "SyncServer.ErrorLicense"
- "SyncServer.ErrorServiceNotEnabled"
- "Staging service is not enabled on this server"
- "Staging does not work with blank password"
- "Missing X509 certificate token"
- "The security token could not be authenticated or authorized"
condition: or
negative: true
- type: word
part: content_type
words:
- "text/xml"
# digest: 490a00463044022031f0e97b2a62c2a676061f0fb7dcac3e9acfa5d9
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
Bugzilla
CVE-2025-23130 kernel: f2fs: fix to avoid panic once fallocation fails for pinfile
bugzilla·2025-04-16·CVSS 5.5
CVE-2025-23130 [MEDIUM] CVE-2025-23130 kernel: f2fs: fix to avoid panic once fallocation fails for pinfile
CVE-2025-23130 kernel: f2fs: fix to avoid panic once fallocation fails for pinfile
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid panic once fallocation fails for pinfile
syzbot reports a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2746!
CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876
Call Trace:
__allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210
f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238
f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830
f2fs_fallocate+0
https://devnet.kentico.com/download/hotfixeshttps://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/https://www.vulncheck.com/advisories/kentico-xperience-staging-sync-server-digest-password-authentication-bypasshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2746
2025-03-24
Published
2025-10-20
Added to CISA KEV
Exploited in the wild