CVE-2025-2749
published 2025-03-24CVE-2025-2749: An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations…
PriorityP181high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-05-04
Exploited in the wild
EPSS
3.85%
88.8th percentile
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kentico | xperience | <= 13.0.178 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is exploitable via the Staging Sync Server component in Kentico Xperience — monitor for authenticated requests to Staging Sync Server endpoints that include path traversal sequences (e.g., '../') in file upload parameters ↗
- →Flag any file uploads via the Staging Sync Server that result in files being written outside of expected directories, particularly to web-accessible paths that could enable server-side code execution ↗
- →Scope detection to Kentico Xperience versions up to and including 13.0.178; presence of this version in the environment indicates an unpatched, exploitable instance ↗
- ·Exploitation requires prior authentication — detections should account for the attacker already holding valid credentials; unauthenticated access alone is not sufficient to trigger this vulnerability ↗
- ·Vendor hotfixes are the designated remediation source; patch availability should be verified at the official hotfix portal before assuming a given instance is protected ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Kentico Xperience up to 13.0.178 Sync Server path traversal (EUVD-2025-8010 / Nessus ID 271229)
vuldb·2026-04-21·CVSS 7.2
CVE-2025-2749 [HIGH] Kentico Xperience up to 13.0.178 Sync Server path traversal (EUVD-2025-8010 / Nessus ID 271229)
A vulnerability identified as critical has been detected in Kentico Xperience up to 13.0.178. This affects an unknown function of the component Sync Server Handler. The manipulation leads to path traversal.
This vulnerability is traded as CVE-2025-2749. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
GHSA
GHSA-g53h-cfhr-24hw: An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative l
ghsa_unreviewed·2025-03-24
CVE-2025-2749 [HIGH] CWE-22 GHSA-g53h-cfhr-24hw: An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative l
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
VulnCheck
Kentico Xperience Path Traversal Vulnerability
vulncheck·2025·CVSS 7.2
CVE-2025-2749 [HIGH] CWE-22 Kentico Xperience Path Traversal Vulnerability
Kentico Xperience Path Traversal Vulnerability
Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.
Affected: Kentico Kentico Xperience
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-05-04
CISA
Kentico Xperience Path Traversal Vulnerability
cisa·2026-04-20·CVSS 7.2
CVE-2025-2749 [HIGH] CWE-22 Kentico Xperience Path Traversal Vulnerability
Vulnerability: Kentico Xperience Path Traversal Vulnerability
Affected: Kentico Kentico Xperience
Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2749
Remediation Due Date: 2026-05-04
No detection rules found.
No public exploits indexed.
https://devnet.kentico.com/download/hotfixeshttps://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rcehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749
2025-03-24
Published
2026-04-20
Added to CISA KEV
Exploited in the wild