Cyber Resilience

CVE-2025-2749

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 24 March 2025

Published
24 March 2025
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0477 89.7th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2749 is a high-severity Path Traversal (CWE-22) vulnerability in Kentico Xperience. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-2749 is an authenticated remote code execution vulnerability affecting Kentico Xperience through version 13.0.178. It stems from improper handling of file uploads in the Staging Sync Server component, enabling path traversal (CWE-22) combined with unrestricted upload of dangerous file types (CWE-434). An authenticated user can supply arbitrary data to relative paths, resulting in server-side executable content being written to the filesystem.

An attacker with valid high-privilege credentials on the Staging Sync Server can exploit the flaw over the network to upload and execute arbitrary code, achieving full remote code execution with impacts to confidentiality, integrity, and availability. The CVSS 7.2 score reflects the requirement for authentication while noting the low attack complexity once credentials are obtained.

Kentico has published hotfixes addressing the issue through its DevNet download portal. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity, while third-party analyses from WatchTowr Labs and VulnCheck provide additional technical context on the upload and traversal mechanics.

EPSS for this CVE rose materially from lower values to a peak of 0.1366 on 2026-04-21 before receding to the current 0.0477, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading…

more

to remote code execution.This issue affects Kentico Xperience through 13.0.178.

CWE(s)
KEV Date Added
See CISA KEV catalog

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability in public-facing Kentico Xperience web app enables authenticated RCE via path traversal and arbitrary file upload of server-side executables, directly facilitating exploitation of public-facing applications and deployment of web shells.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2746Same product: Kentico Xperienceboth on KEV
CVE-2025-2747Same product: Kentico Xperienceboth on KEV
CVE-2023-53934Same product: Kentico Xperience
CVE-2024-57968Shared CWE-434both on KEV
CVE-2025-8110Shared CWE-22both on KEV
CVE-2026-9102Shared CWE-22, CWE-434
CVE-2025-52691Shared CWE-434both on KEV
CVE-2026-22786Shared CWE-22, CWE-434
CVE-2022-50939Shared CWE-22, CWE-434
CVE-2025-35055Shared CWE-22, CWE-434

Affected Assets

kentico
xperience
≤ 13.0.178

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely application of Kentico hotfixes to remediate the path traversal and arbitrary file upload leading to RCE.

prevent

Prevents path traversal and invalid file uploads in the Staging Sync Server by validating user-supplied paths and filenames against allowed patterns.

prevent

Restricts uploads to safe file types and classes of data, blocking dangerous server-executable content exploited via the Staging Sync Server.

References