CVE-2025-2746
Published: 24 March 2025
Summary
CVE-2025-2746 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Kentico Xperience. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
An authentication bypass vulnerability tracked as CVE-2025-2746 affects Kentico Xperience versions through 13.0.172. The flaw resides in the Staging Sync Server component and stems from improper password handling of empty SHA1 usernames during digest authentication, corresponding to CWE-288. Successful exploitation grants full control over administrative objects without requiring credentials.
Unauthenticated attackers can exploit the issue remotely over the network by supplying crafted digest authentication requests that bypass normal checks. With a CVSS 3.1 score of 9.8, the vulnerability allows complete compromise of affected installations, including administrative functions that could lead to further system control.
Kentico has published hotfixes addressing the issue through its DevNet portal. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, and public analysis from Watchtowr Labs and VulnCheck details the authentication bypass mechanics along with potential follow-on attack chains. The associated EPSS score of 0.9022 reflects a high likelihood of exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8008
Vulnerability details
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.
- CWE(s)
- KEV Date Added
- 20 October 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authentication bypass in the Kentico Xperience Staging Sync Server, a public-facing web service component, enabling unauthenticated attackers to gain administrative control, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, prioritization, and correction of flaws, directly mitigating the authentication bypass by applying Kentico's hotfix for CVE-2025-2746.
Vulnerability monitoring and scanning detects the presence of CVE-2025-2746 in Kentico Xperience installations, enabling risk-based remediation.
Receives and disseminates security alerts and advisories, including those for this CISA KEV-listed CVE, to inform patching and protective measures.