CVE-2025-2747
published 2025-03-24CVE-2025-2747: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-11-10
Exploited in the wild
EPSS
92.16%
99.8th percentile
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kentico | xperience | <= 13.0.178 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/CMSPages/Staging/SyncServer.asmx
otherSOAPAction: "http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData"
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2747)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/CMSPages/Staging/SyncServer.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22 3c|http|3a 2f 2f|localhost|2f|SyncWebService|2f|SyncServer|2f|ProcessSynchronizationTaskData|3e 22|"; http.request_body; content:"|3c|soap|3a|Header|3e|"; content:"|3c|wsse|3a|UsernameToken|3e|"; within:300; content:"|3c|wsse|3a|Username|3e|"; within:30; content:"|3c 2f|wsse|3a|Username|3e|"; within:100; content:"|3c 2f|wsse|3a|UsernameToken|3e|"; within:40; content:"|3c 2f|wsse|3a|Security|3e|"; within:40; content:"|3c|ProcessSynchronizationTaskData|20|xmlns|3d 22|http|3a 2f 2f|localhost/SyncWebService/SyncServer|22 3e|"; within:200; reference:cve,2025-2747; reference:url,labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/; classtype:attempted-admin; sid:2061283; rev:1; metadata:affected_product Kentico_Xperience_CMS, attack_target Web_Server, tls_state plaintext, created_at 2025_04_03, cve CVE_2025_2747, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP POST to /CMSPages/Staging/SyncServer.asmx with SOAPAction ProcessSynchronizationTaskData; look for SOAP requests containing a wsse:UsernameToken with an empty or None-type password in the request body.
- →Successful exploitation returns the echoed object name (e.g., rand string) and a text/xml Content-Type response, while NOT containing error strings such as 'Staging does not work with blank password' or 'The security token could not be authenticated or authorized'.
- →Use FOFA query app="Kentico-CMS" to identify exposed Kentico Xperience CMS instances for proactive scanning.
- →The Snort/ET rule (sid:2061283) detects the attack by matching POST to the exact 33-byte URI /CMSPages/Staging/SyncServer.asmx, the SOAPAction header value, and the presence of wsse:UsernameToken and ProcessSynchronizationTaskData XML elements in the request body.
- ·The vulnerability only affects Kentico Xperience through version 13.0.178; the bypass is specific to the Staging Sync Server component when the server is defined with the 'None' password type. ↗
- ·The ET Snort rule is scoped to plaintext (tls_state plaintext) traffic only; TLS-encrypted traffic to the staging endpoint will not be detected by this rule.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8345-rfq2-7h8q: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for t
ghsa_unreviewed·2025-03-24
CVE-2025-2747 [CRITICAL] CWE-287 GHSA-8345-rfq2-7h8q: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for t
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.
VulnCheck
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-2747 [CRITICAL] CWE-288 Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.
Affected: Kentico Xperience CMS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/resources/research-reports/global-cybersecurity-report/; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-11-10
CISA
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
cisa·2025-10-20·CVSS 9.8
CVE-2025-2747 [CRITICAL] CWE-288 Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
Vulnerability: Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
Affected: Kentico Xperience CMS
Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2747
Remediation Due Date: 2025-11-10
Suricata
ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2747)
suricata·2025-04-03·CVSS 9.8
CVE-2025-2747 [CRITICAL] ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2747)
ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2747)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Authentication Bypass Attempt (CVE-2025-2747)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/CMSPages/Staging/SyncServer.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22 3c|http|3a 2f 2f|localhost|2f|SyncWebService|2f|SyncServer|2f|ProcessSynchronizationTaskData|3e 22|"; http.request_body; content:"|3c|soap|3a|Header|3e|"; content:"|3c|wsse|3a|UsernameToken|3e|"; within:300; content:"|3c|wsse|3a|Username|3e|"; within:30; content:"|3c 2f|wsse|3a|Username|3e|"; within:100; content:"|3c 2f|wsse|3a|UsernameToken|3e|"; within:40; content:"|3c 2f|wsse|3a|Securit
Nuclei
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
nuclei·CVSS 9.8
CVE-2025-2747 [CRITICAL] Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.
Template:
id: CVE-2025-2747
info:
name: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
author: DhiyaneshDK
severity: critical
description: |
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administra
https://devnet.kentico.com/download/hotfixeshttps://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/https://www.vulncheck.com/advisories/kentico-xperience-staging-sync-server-none-password-type-authentication-bypasshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2747
2025-03-24
Published
2025-10-20
Added to CISA KEV
Exploited in the wild