CVE-2025-2746
Published: 24 March 2025
Summary
CVE-2025-2746 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Kentico Xperience. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, prioritization, and correction of flaws, directly mitigating the authentication bypass by applying Kentico's hotfix for CVE-2025-2746.
Vulnerability monitoring and scanning detects the presence of CVE-2025-2746 in Kentico Xperience installations, enabling risk-based remediation.
Receives and disseminates security alerts and advisories, including those for this CISA KEV-listed CVE, to inform patching and protective measures.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authentication bypass in the Kentico Xperience Staging Sync Server, a public-facing web service component, enabling unauthenticated attackers to gain administrative control, directly mapping to exploitation of public-facing applications.
NVD Description
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.
Deeper analysisAI
CVE-2025-2746 is an authentication bypass vulnerability in Kentico Xperience, affecting versions through 13.0.172. The flaw resides in the Staging Sync Server's handling of empty SHA1 usernames during digest authentication, enabling attackers to bypass authentication and gain control over administrative objects. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants control of administrative objects, potentially leading to full compromise of the affected system, including high confidentiality, integrity, and availability impacts.
Advisories from Watchtowr Labs, VulnCheck, and Kentico recommend applying hotfixes available via the official Kentico devnet download page. Proof-of-concept exploit code is publicly available on GitHub, and detailed technical analysis, including pre-authentication remote code execution chains, is documented in Watchtowr's labs blog.
This vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, indicating real-world exploitation. Security practitioners should prioritize patching affected Kentico Xperience instances.
Details
- CWE(s)
- KEV Date Added
- 20 October 2025