CVE-2025-2746

CRITICAL KEV NUCLEI

Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)

Title source: nuclei

Description

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.

Nuclei Templates (1)

Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)

CRITICALVERIFIEDby DhiyaneshDK

FOFA: app="Kentico-CMS"

References (5)

[Patch] https://devnet.kentico.com/download/hotfixes

[Third Party Advisory] https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011

View Writeup ZIP pw:eip

[Exploit, Third Party Advisory] https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/

[Third Party Advisory] https://www.vulncheck.com/advisories/kentico-xperience-staging-sync-server-digest-password-authentication-bypass

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2746

Scores

CVSS v3 9.8

EPSS 0.8428

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2025-10-20

VulnCheck KEV 2025-10-20

ENISA EUVD EUVD-2025-8008

CWE

CWE-288

Status published

Products (1)

kentico/xperience < 13.0.172

Published Mar 24, 2025

KEV Added Oct 20, 2025

Tracked Since Feb 18, 2026