Cyber Resilience

CVE-2025-2747

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 24 March 2025

Published
24 March 2025
Modified
06 November 2025
KEV Added
20 October 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9141 99.7th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2747 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Kentico Xperience. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-2747 is an authentication bypass vulnerability in Kentico Xperience versions through 13.0.178 that resides in the Staging Sync Server component. The flaw stems from improper password handling when a server is configured with the "None" type, allowing an attacker to circumvent authentication controls entirely. It carries a CVSS 3.1 score of 9.8 and is classified under CWE-288.

Unauthenticated remote attackers can exploit the issue over the network without any user interaction or credentials. Successful exploitation grants full control over administrative objects within the affected Xperience instance, enabling arbitrary changes to the CMS environment.

Kentico has published hotfixes addressing the vulnerability through its DevNet portal. Multiple public advisories, including those from VulnCheck and Watchtowr Labs, detail the flaw and reference a proof-of-concept that demonstrates a pre-authentication remote code execution chain. The CVE is also listed in CISA's Known Exploited Vulnerabilities catalog.

The associated EPSS score has reached 0.9141, indicating a high likelihood of exploitation in the wild.

EU & UK References

Vulnerability details

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.

CWE(s)
KEV Date Added
20 October 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in the publicly accessible Kentico Xperience Staging Sync Server API, enabling exploitation of a public-facing web application to gain unauthorized administrative control.

CVEs Like This One

CVE-2025-2746Same product: Kentico Xperienceboth on KEV
CVE-2025-2749Same product: Kentico Xperienceboth on KEV
CVE-2023-53934Same product: Kentico Xperience
CVE-2025-24472Shared CWE-288both on KEV
CVE-2026-23760Shared CWE-288both on KEV
CVE-2024-55591Shared CWE-288both on KEV
CVE-2026-24858Shared CWE-288both on KEV
CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288

Affected Assets

kentico
xperience
≤ 13.0.178

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of flaws, such as applying Kentico hotfixes for this exploited authentication bypass in the Staging Sync Server component listed in CISA KEV.

preventdetect

Monitors and controls communications at external boundaries to block remote unauthenticated attackers from reaching and exploiting the vulnerable Staging Sync Server over the network.

prevent

Enforces approved authorizations to prevent unauthorized control of administrative objects despite the authentication bypass in password handling for None type servers.

References