CVE-2025-2749
HIGH KEVKentico Xperience < 13.0.178 - Authenticated Remote Code Execution via Staging Sync Server File Upload
Title source: llmExploitation Summary
CVE-2025-2749 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 20, 2026.
Description
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
References (4)
Core 4
Core References
Third Party Advisory, US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce
Exploit, Third Party Advisory technical-description
exploit
https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
Patch vendor-advisory
patch
https://devnet.kentico.com/download/hotfixes
Scores
CVSS v3
7.2
EPSS
0.0477
EPSS Percentile
89.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2026-04-20
VulnCheck KEV
2026-04-20
ENISA EUVD
EUVD-2025-8010
CWE
CWE-22
CWE-434
Status
published
Products (2)
kentico/xperience
< 13.0.178
Kentico/Xperience
< 13.0.178
Published
Mar 24, 2025
KEV Added
Apr 20, 2026
Tracked Since
Feb 18, 2026