cbcvebase.
CVE-2025-2749
published 2025-03-24

CVE-2025-2749: An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations…

PriorityP181high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-05-04
Exploited in the wild
EPSS
3.85%
88.8th percentile
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

Affected

1 ranges
VendorProductVersion rangeFixed in
kenticoxperience<= 13.0.178

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable via the Staging Sync Server component in Kentico Xperience — monitor for authenticated requests to Staging Sync Server endpoints that include path traversal sequences (e.g., '../') in file upload parameters
  • Flag any file uploads via the Staging Sync Server that result in files being written outside of expected directories, particularly to web-accessible paths that could enable server-side code execution
  • Scope detection to Kentico Xperience versions up to and including 13.0.178; presence of this version in the environment indicates an unpatched, exploitable instance
  • ·Exploitation requires prior authentication — detections should account for the attacker already holding valid credentials; unauthenticated access alone is not sufficient to trigger this vulnerability
  • ·Vendor hotfixes are the designated remediation source; patch availability should be verified at the official hotfix portal before assuming a given instance is protected

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.