cbcvebase.
CVE-2025-2747
published 2025-03-24

CVE-2025-2747: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-11-10
Exploited in the wild
EPSS
92.16%
99.8th percentile
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.

Affected

1 ranges
VendorProductVersion rangeFixed in
kenticoxperience<= 13.0.178

Detection & IOCsextracted from sources · hover to see the quote

url/CMSPages/Staging/SyncServer.asmx
path/CMSPages/Staging/SyncServer.asmx
otherSOAPAction: "http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData"
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2747)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/CMSPages/Staging/SyncServer.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22 3c|http|3a 2f 2f|localhost|2f|SyncWebService|2f|SyncServer|2f|ProcessSynchronizationTaskData|3e 22|"; http.request_body; content:"|3c|soap|3a|Header|3e|"; content:"|3c|wsse|3a|UsernameToken|3e|"; within:300; content:"|3c|wsse|3a|Username|3e|"; within:30; content:"|3c 2f|wsse|3a|Username|3e|"; within:100; content:"|3c 2f|wsse|3a|UsernameToken|3e|"; within:40; content:"|3c 2f|wsse|3a|Security|3e|"; within:40; content:"|3c|ProcessSynchronizationTaskData|20|xmlns|3d 22|http|3a 2f 2f|localhost/SyncWebService/SyncServer|22 3e|"; within:200; reference:cve,2025-2747; reference:url,labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/; classtype:attempted-admin; sid:2061283; rev:1; metadata:affected_product Kentico_Xperience_CMS, attack_target Web_Server, tls_state plaintext, created_at 2025_04_03, cve CVE_2025_2747, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST to /CMSPages/Staging/SyncServer.asmx with SOAPAction ProcessSynchronizationTaskData; look for SOAP requests containing a wsse:UsernameToken with an empty or None-type password in the request body.
  • Successful exploitation returns the echoed object name (e.g., rand string) and a text/xml Content-Type response, while NOT containing error strings such as 'Staging does not work with blank password' or 'The security token could not be authenticated or authorized'.
  • Use FOFA query app="Kentico-CMS" to identify exposed Kentico Xperience CMS instances for proactive scanning.
  • The Snort/ET rule (sid:2061283) detects the attack by matching POST to the exact 33-byte URI /CMSPages/Staging/SyncServer.asmx, the SOAPAction header value, and the presence of wsse:UsernameToken and ProcessSynchronizationTaskData XML elements in the request body.
  • ·The vulnerability only affects Kentico Xperience through version 13.0.178; the bypass is specific to the Staging Sync Server component when the server is defined with the 'None' password type.
  • ·The ET Snort rule is scoped to plaintext (tls_state plaintext) traffic only; TLS-encrypted traffic to the staging endpoint will not be detected by this rule.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.