CVE-2025-2749
Published: 24 March 2025
Summary
CVE-2025-2749 is a high-severity Path Traversal (CWE-22) vulnerability in Kentico Xperience. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-2749 is an authenticated remote code execution vulnerability affecting Kentico Xperience through version 13.0.178. It stems from improper handling of file uploads in the Staging Sync Server component, enabling path traversal (CWE-22) combined with unrestricted upload of dangerous file types (CWE-434). An authenticated user can supply arbitrary data to relative paths, resulting in server-side executable content being written to the filesystem.
An attacker with valid high-privilege credentials on the Staging Sync Server can exploit the flaw over the network to upload and execute arbitrary code, achieving full remote code execution with impacts to confidentiality, integrity, and availability. The CVSS 7.2 score reflects the requirement for authentication while noting the low attack complexity once credentials are obtained.
Kentico has published hotfixes addressing the issue through its DevNet download portal. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity, while third-party analyses from WatchTowr Labs and VulnCheck provide additional technical context on the upload and traversal mechanics.
EPSS for this CVE rose materially from lower values to a peak of 0.1366 on 2026-04-21 before receding to the current 0.0477, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8010
Vulnerability details
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading…
more
to remote code execution.This issue affects Kentico Xperience through 13.0.178.
- CWE(s)
- KEV Date Added
- See CISA KEV catalog
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Kentico Xperience web app enables authenticated RCE via path traversal and arbitrary file upload of server-side executables, directly facilitating exploitation of public-facing applications and deployment of web shells.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely application of Kentico hotfixes to remediate the path traversal and arbitrary file upload leading to RCE.
Prevents path traversal and invalid file uploads in the Staging Sync Server by validating user-supplied paths and filenames against allowed patterns.
Restricts uploads to safe file types and classes of data, blocking dangerous server-executable content exploited via the Staging Sync Server.