CVE-2025-2749

HIGH KEV

Kentico Xperience < 13.0.178 - Path Traversal

Title source: rule

Description

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

References (4)

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749

[Patch] https://devnet.kentico.com/download/hotfixes

[Exploit, Third Party Advisory] https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/

[Third Party Advisory] https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce

Scores

CVSS v3 7.2

EPSS 0.0505

EPSS Percentile 89.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2026-04-20

VulnCheck KEV 2026-04-20

ENISA EUVD EUVD-2025-8010

CWE

CWE-22 CWE-434

Status published

Products (2)

kentico/xperience < 13.0.178

Kentico/Xperience < 13.0.178

Published Mar 24, 2025

KEV Added Apr 20, 2026

Tracked Since Feb 18, 2026