Cyber Resilience

CVE-2025-2746

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 24 March 2025

Published
24 March 2025
Modified
06 November 2025
KEV Added
20 October 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9022 99.6th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2746 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Kentico Xperience. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

An authentication bypass vulnerability tracked as CVE-2025-2746 affects Kentico Xperience versions through 13.0.172. The flaw resides in the Staging Sync Server component and stems from improper password handling of empty SHA1 usernames during digest authentication, corresponding to CWE-288. Successful exploitation grants full control over administrative objects without requiring credentials.

Unauthenticated attackers can exploit the issue remotely over the network by supplying crafted digest authentication requests that bypass normal checks. With a CVSS 3.1 score of 9.8, the vulnerability allows complete compromise of affected installations, including administrative functions that could lead to further system control.

Kentico has published hotfixes addressing the issue through its DevNet portal. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, and public analysis from Watchtowr Labs and VulnCheck details the authentication bypass mechanics along with potential follow-on attack chains. The associated EPSS score of 0.9022 reflects a high likelihood of exploitation.

EU & UK References

Vulnerability details

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.

CWE(s)
KEV Date Added
20 October 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an authentication bypass in the Kentico Xperience Staging Sync Server, a public-facing web service component, enabling unauthenticated attackers to gain administrative control, directly mapping to exploitation of public-facing applications.

CVEs Like This One

CVE-2025-2747Same product: Kentico Xperienceboth on KEV
CVE-2025-2749Same product: Kentico Xperienceboth on KEV
CVE-2023-53934Same product: Kentico Xperience
CVE-2025-24472Shared CWE-288both on KEV
CVE-2026-23760Shared CWE-288both on KEV
CVE-2024-55591Shared CWE-288both on KEV
CVE-2026-24858Shared CWE-288both on KEV
CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288

Affected Assets

kentico
xperience
≤ 13.0.172

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, prioritization, and correction of flaws, directly mitigating the authentication bypass by applying Kentico's hotfix for CVE-2025-2746.

detect

Vulnerability monitoring and scanning detects the presence of CVE-2025-2746 in Kentico Xperience installations, enabling risk-based remediation.

detect

Receives and disseminates security alerts and advisories, including those for this CISA KEV-listed CVE, to inform patching and protective measures.

References