Cyber Resilience

CVE-2019-10068

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 26 March 2019

Published
26 March 2019
Modified
19 December 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9381 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-10068 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Kentico Xperience. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-10068 is a deserialization vulnerability affecting the staging service in Kentico CMS versions 12.0.x prior to 12.0.15, 11.0.x prior to 11.0.48, 10.0.x prior to 10.0.52, and all 9.x releases. The root cause is insufficient validation of security headers, which permits a crafted request to bypass authentication and supply attacker-controlled .NET objects for deserialization, directly enabling remote code execution on the host server. The flaw is tracked under CWE-502 and carries a CVSS 3.1 base score of 9.8.

An unauthenticated attacker with network access can submit a malicious request to the staging endpoint, trigger unsafe deserialization, and obtain arbitrary code execution with the privileges of the Kentico process. No user interaction or credentials are required, and the attack can result in full compromise of confidentiality, integrity, and availability on the affected server.

Kentico released hotfixes that address the issue for the supported branches, available via the vendor’s security updates page. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, and public exploit code has been published demonstrating remote command execution against unpatched instances.

EU & UK References

Vulnerability details

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass…

more

the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kentico
xperience
9.0.0 — 9.0.51 · 10.0.0 — 10.0.52 · 11.0.0 — 11.0.48

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs (including security headers) before deserializing untrusted .NET objects, blocking the authentication bypass and RCE path in the staging service.

prevent

Enforces access-control decisions on every request to the staging endpoint, preventing the crafted request from bypassing authentication and reaching the deserializer.

preventdetect

Requires integrity verification of software and information to detect or block execution of attacker-supplied deserialized objects that alter system behavior.

References