cbcvebase.
CVE-2025-32370
published 2025-04-06

CVE-2025-32370: Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.35%
68.0th percentile
Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.

Affected

1 ranges
VendorProductVersion rangeFixed in
kenticoxperience< 13.0.17813.0.178

Detection & IOCsextracted from sources · hover to see the quote

url/CMSModules/.../MultiFileUploader.ashx
filenamepoc.svc
url?Filename=<zip_filename>&Complete=false
  • Monitor for unauthenticated HTTP POST requests to MultiFileUploader.ashx with query parameters Filename=*.zip and Complete=false, which is the upload vector for this CVE.
  • Detect ZIP file uploads to the Kentico CMSModules upload endpoint with Content-Type: application/octet-stream from unauthenticated sessions; the ZIP is processed by TryZipProviderSafe to extract files with otherwise-disallowed extensions (e.g. .svg, .svc).
  • Alert on files with non-standard or unexpected extensions (e.g. .svg, .svc) appearing in Kentico upload directories following a ZIP upload, as these bypass the ContentUploader allowlist.
  • The embedded SVG payload contains an inline script tag with alert("XSS"); — hunt for SVG files containing <script> tags in Kentico upload directories as evidence of exploitation.
  • ·The exploit targets Kentico Xperience versions strictly before 13.0.178; version 13.0.178 and later are patched. Ensure the deployed version is confirmed before applying detection rules to avoid false positives on patched instances.
  • ·The NVD advisory notes this ZIP-based extension bypass is a separate issue not necessarily related to SVG or XSS — the upload primitive itself (arbitrary extension creation via TryZipProviderSafe) is the core vulnerability and may be used to drop other file types beyond SVG.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.