cbcvebase.
CVE-2025-2748
published 2025-03-24

CVE-2025-2748: The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This…

PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
59.07%
99.0th percentile
The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.

Affected

1 ranges
VendorProductVersion rangeFixed in
kenticoxperience<= 13.0.178

Detection & IOCsextracted from sources · hover to see the quote

url/CMSModules/Content/CMSPages/MultiFileUploader.ashx
url/CMSPages/GetResource.ashx?image=/App_Data/CMSTemp/MultiFileUploader/00/00000000-0000-0000-0000-000000000000/
path/App_Data/CMSTemp/MultiFileUploader/00/00000000-0000-0000-0000-000000000000/
commandPOST /CMSModules/Content/CMSPages/MultiFileUploader.ashx?Filename=<zip>&Complete=false with Content-Type: application/octet-stream
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kentico Xperience CMS Cross Site Scripting via Unauthenticated File Upload Attempt (CVE-2025-2748)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CMSModules/Content/CMSPages/MultiFileUploader.ashx|3f|"; fast_pattern; startswith; content:"Filename|3d|"; content:".zip"; within:150; content:"Complete|3d|false"; reference:cve,2025-2748; reference:url,labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/; classtype:attempted-admin; sid:2061259; rev:1; metadata:affected_product Kentico_Xperience_CMS, attack_target Web_Server, tls_state plaintext, created_at 2025_04_03, cve CVE_2025_2748, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
UEsDBBQAAAAIADR5gVqiOVAGEwEAAHwBAAAHABwAeHNzLnN2Z1VUCQADc8nrZ033sWd1eAsAAQT1AQAABBQAAABtkEFPAjEQhe/7K8bxognudAUO6C4kAiEmRklEjcfKlqVa2k1bWPj3zrIXD/bUvHnzvdfmk+POwEH5oJ0tMEsFQojSltI4qwq0DifjJL+YvUxXn8s5hEMFy7eHp8cp4A3RR39KNFvN4PV9AVmaEc2fEXAbY31H1DRN2vRT5ytaeFlv9ToQG6k18hIxLMvSMpY4TpK8Rf8pkiF8yaCW3m204SabvTEI3NaG4p+AWyFEC2QUAOS1M6fKWdBlgdFraSujEGqnbeR10RMgekMBQ74hcIAp8FKI0Uic3+/djzoLgwEL1CHD2us6QjzVPIvqGOlbHmSndql8pFE+XpVuvd8pG9PS7aS21/dnAHVe/s626Dj5BVBLAQIeAxQAAAAIADR5gVqiOVAGEwEAAHwBAAAHABgAAAAAAAEAAACkgQAAAAB4c3Muc3ZnVVQFAANzyetndXgLAAEE9QEAAAQUAAAAUEsFBgAAAAABAAEATQAAAFQBAAAAAA==
  • Detect unauthenticated POST to MultiFileUploader.ashx with a .zip filename and Complete=false parameter — the core upload vector for CVE-2025-2748
  • Detect retrieval of uploaded SVG payload via GetResource.ashx referencing the CMSTemp MultiFileUploader staging path — indicates exploitation stage 2 (XSS trigger)
  • Match response body for 'alert(document.domain)' combined with Content-Type 'image/svg+xml' to confirm successful XSS payload delivery from uploaded SVG
  • Use FOFA query 'app="Kentico-CMS"' to identify exposed Kentico Xperience instances for proactive scanning
  • The exploit packages a malicious SVG inside a ZIP archive; look for ZIP uploads (Content-Type: application/octet-stream) to MultiFileUploader.ashx containing embedded SVG files with script tags
  • ·The Nuclei template uses a hardcoded GUID path (00000000-0000-0000-0000-000000000000) for the staging directory; actual deployments may use different GUIDs, requiring path enumeration
  • ·The vulnerability is unauthenticated (PR:N), meaning no session or credentials are required to upload the malicious ZIP — perimeter-facing Kentico instances are directly exploitable
  • ·The Snort/ET rule only covers plaintext (non-TLS) traffic; HTTPS-protected Kentico deployments will not be detected by this signature without TLS inspection

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.