CVE-2019-10068

CRITICAL KEV NUCLEI

Kentico <12.0.15, 11.0.48, 10.0.52, 9.x - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-10068 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 3 public exploits from researchers including 0x7a-zip, cianananan, Manoj Cherukuri, Justin LeMay, aushack, including a Metasploit module exploits/windows/http/kentico_staging_syncserver. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-10068, a deserialization vulnerability in Kentico CMS. The exploit leverages a SoapFormatter payload to achieve remote code execution and drops an ASPX web shell on the target system.

Description

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.

Exploits (3)

nomisec WORKING POC
by 0x7a-zip · remote
https://github.com/0x7a-zip/CVE-2019-10068-PoC

This repository contains a functional exploit for CVE-2019-10068, a deserialization vulnerability in Kentico CMS. The exploit leverages a SoapFormatter payload to achieve remote code execution and drops an ASPX web shell on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kentico CMS
No auth needed
Prerequisites: Metasploit Framework for payload generation · Ruby environment with required gems
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WORKING POC
by cianananan · poc
https://github.com/cianananan/CVE-2019-10068-PoC

This repository contains a functional exploit for CVE-2019-10068, a deserialization RCE vulnerability in Kentico CMS. The PoC leverages a SoapFormatter payload to execute arbitrary commands and uploads an ASPX web shell to the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kentico CMS
No auth needed
Prerequisites: Metasploit Framework for payload generation · Python 3 · Network access to the target
devstral-2 · analyzed Mar 11, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Manoj Cherukuri, Justin LeMay, aushack · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/kentico_staging_syncserver.rb

This Metasploit module exploits a .NET deserialization vulnerability in Kentico CMS via unauthenticated XML requests to the SyncServer.asmx interface, leading to remote command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kentico CMS 12.0.14 and earlier
No auth needed
Prerequisites: Network access to the target · SyncServer.asmx endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Kentico CMS Insecure Deserialization Remote Code Execution
CRITICALby davidmckennirey
Shodan: cpe:"cpe:2.3:a:kentico:kentico"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9603
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2022-03-25
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2019-2129
CWE
CWE-502
Status published
Products (1)
kentico/xperience 9.0.0 - 9.0.51
Published Mar 26, 2019
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026