CVE-2025-2749

HighCISA KEVActive ExploitationPublic PoC

Published: 24 March 2025

Published

24 March 2025

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0377 88.1th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2749 is a high-severity Path Traversal (CWE-22) vulnerability in Kentico Xperience. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely application of Kentico hotfixes to remediate the path traversal and arbitrary file upload leading to RCE.

SI-10 Information Input Validation good match

prevent

Prevents path traversal and invalid file uploads in the Staging Sync Server by validating user-supplied paths and filenames against allowed patterns.

SI-9 Information Input Restrictions good match

prevent

Restricts uploads to safe file types and classes of data, blocking dangerous server-executable content exploited via the Staging Sync Server.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing Kentico Xperience web app enables authenticated RCE via path traversal and arbitrary file upload of server-side executables, directly facilitating exploitation of public-facing applications and deployment of web shells.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading…

to remote code execution.This issue affects Kentico Xperience through 13.0.178.

Deeper analysisAI

CVE-2025-2749 is an authenticated remote code execution vulnerability in Kentico Xperience. It enables authenticated users with access to the Staging Sync Server to upload arbitrary data to path-relative locations, resulting in path traversal and arbitrary file upload, including server-side executable content that leads to remote code execution. This issue affects Kentico Xperience versions through 13.0.178 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), mapped to CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

The vulnerability can be exploited by authenticated users possessing high privileges (PR:H) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N) required. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the same security scope (S:U), specifically by executing arbitrary code on the server.

Kentico provides hotfixes via their devnet download portal for mitigation. Advisories from VulnCheck detail the Staging Media file upload mechanism enabling authenticated RCE, while Watchtower Labs describes authentication bypass techniques forming a pre-auth RCE chain. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) lists CVE-2025-2749 in its Known Exploited Vulnerabilities Catalog, indicating active real-world exploitation.

Security practitioners should prioritize patching affected Kentico Xperience instances, given the confirmed exploitation status and potential for privilege escalation chains.

Details

CWE(s): CWE-22 CWE-434
KEV Date Added: See CISA KEV catalog

Affected Products

kentico

xperience

≤ 13.0.178

CVEs Like This One

CVE-2025-2746Same product: Kentico Xperienceboth on KEV

CVE-2025-2747Same product: Kentico Xperienceboth on KEV

CVE-2024-57968Shared CWE-434both on KEV

CVE-2025-52691Shared CWE-434both on KEV

CVE-2025-35055Shared CWE-22, CWE-434

CVE-2025-8110Shared CWE-22both on KEV

CVE-2026-22786Shared CWE-22, CWE-434

CVE-2024-57727Shared CWE-22both on KEV

CVE-2024-57728Shared CWE-22both on KEV

CVE-2025-61884Shared CWE-22both on KEV

References

https://devnet.kentico.com/download/hotfixes
Patch · disclosure@vulncheck.com
https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce
Third Party Advisory · disclosure@vulncheck.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0