cbcvebase.
CVE-2025-2746
published 2025-03-24

CVE-2025-2746: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-11-10
Exploited in the wild
EPSS
58.43%
99.0th percentile
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.

Affected

4 ranges
VendorProductVersion rangeFixed in
kenticoxperience<= 13.0.172
msrcazl3_dnf5_5.1.11-2_on_azure_linux_3.0
msrcazl3_dnf5_5.1.11-3_on_azure_linux_3.0
msrccbl2_dnf5_5.0.14-2_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

path/CMSPages/Staging/SyncServer.asmx
urllabs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2746)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/CMSPages/Staging/SyncServer.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22 3c|http|3a 2f 2f|localhost|2f|SyncWebService|2f|SyncServer|2f|ProcessSynchronizationTaskData|3e 22|"; http.request_body; content:"|3c|soap|3a|Header|3e|"; content:"|3c|wsse|3a|UsernameToken|3e|"; within:300; content:"|3c|wsse|3a|Username|3e|"; within:30; content:"|3c|wsse|3a|Password|20|Type|3d 22 3c|http|3a|//docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0|23|PasswordDigest|3e 22|"; within:200; content:"|3c|wsse|3a|Nonce|3e|"; within:80; content:"|3c|wsu|3a|Created|3e|"; within:80; content:"|3c|ProcessSynchronizationTaskData|20|xmlns|3d 22 3c|http|3a 2f 2f|localhost|2f|SyncWebService|2f|SyncServer|3e 22|"; within:300; reference:cve,2025-2746; reference:url,labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/; classtype:attempted-admin; sid:2061280; rev:1;)
  • Target HTTP POST requests to the exact URI path /CMSPages/Staging/SyncServer.asmx (bsize:33 — exact length match) as the primary fast-pattern indicator.
  • Inspect the SOAPAction header for the ProcessSynchronizationTaskData operation targeting the SyncServer service on localhost.
  • Detect the WS-Security UsernameToken block in the SOAP body with a PasswordDigest type — the exploit abuses an empty SHA1 username in this digest authentication flow.
  • Nuclei template matcher: a successful probe response contains the random probe string and the text/xml content-type, while NOT containing error strings such as 'Site not running', 'SyncServer.ErrorLicense', 'Staging service is not enabled on this server', 'Staging does not work with blank password', or 'Missing X509 certificate token'.
  • The exploit uses the admin username in the WS-Security token for Hotfix >= 173; for versions before Hotfix 173 any username works. Monitor for WS-Security UsernameToken requests with an empty or 'admin' username field.
  • The Snort/ET rule targets plaintext (non-TLS) traffic only; ensure perimeter and internal sensors both cover this traffic as indicated by dual deployment metadata.
  • ·The vulnerability only affects Kentico Xperience through version 13.0.172 (Hotfix 172 and below). Hotfix 173 partially mitigates but the bypass still works with the 'admin' username specifically.
  • ·The Staging Sync Server feature must be enabled on the target for exploitation to succeed; responses containing 'SyncServer.ErrorServiceNotEnabled' or 'Staging service is not enabled on this server' indicate the attack surface is not exposed.
  • ·The ET Snort rule (sid:2061280) only fires on plaintext HTTP; HTTPS-wrapped traffic to the same endpoint will not be detected by this rule and requires TLS inspection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc8.8HIGH
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.