Back to KEVs

CVE-2025-2749

Kentico Xperience <= 13.0.178 Staging Media File Upload Authenticated RCE

Basic Information

CVE State
PUBLISHED
Reserved Date
March 24, 2025
Published Date
March 24, 2025
Last Updated
April 21, 2026
Vendor
Kentico
Product
Xperience
Description
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
Tags
cisa

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 13:22:22 UTC) Source

References

https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/ https://devnet.kentico.com/download/hotfixes https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 13:22:22 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel