What is the CVSS score of CVE-2025-2749?

CVE-2025-2749 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.2%.

Which versions of Kentico Xperience are affected by CVE-2025-2749?

Kentico Xperience CMS versions through 13.0.178 contain a remote code execution vulnerability in the Staging Sync Server component that allows authenticated administrators to upload arbitrary files…. A patch is available.

Is there a public PoC exploit available for CVE-2025-2749?

Yes, a public proof-of-concept exploit is available for CVE-2025-2749. Prioritise patching immediately. EPSS: 1.2%.

How to fix or mitigate CVE-2025-2749?

Within 24 hours: Identify all Kentico Xperience CMS instances running versions 13.0.178 or earlier and restrict administrator account access to essential personnel only; audit recent admin account activity for suspicious file uploads. Within 7 days: Apply vendor-released patch to upgrade all affected Kentico instances to version 13.0.179 or later as specified in vendor advisory. Within 30 days: Review and strengthen authentication controls for CMS administrator accounts, including enforcing multi-factor authentication and reviewing access logs for indicators of compromise.

Kentico Xperience CVE-2025-2749

HIGH

Path Traversal (CWE-22)

2025-03-24 disclosure@vulncheck.com

RCE Path Traversal File Upload

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 12:58 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 20, 2026 - 20:22 vuln.today

cvss_changed

Added to CISA KEV

Apr 20, 2026 - 19:31 CISA

Analysis Generated

Mar 28, 2026 - 18:33 vuln.today

Patch released

Mar 28, 2026 - 18:33 nvd

Patch available

PoC Detected

Nov 04, 2025 - 23:15 vuln.today

Public exploit code

CVE Published

Mar 24, 2025 - 19:15 nvd

HIGH 7.2

DescriptionNVD

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

AnalysisAI

Remote code execution in Kentico Xperience CMS versions through 13.0.178 allows authenticated administrators to upload arbitrary files to controlled server paths via path traversal in the Staging Sync Server component. Confirmed actively exploited in the wild (CISA KEV). Public exploit available with detailed bypass techniques. EPSS score of 1.23% (79th percentile) suggests targeted exploitation rather than widespread scanning. While CVSS 7.2 requires high-privilege (administrator) authentication, active exploitation status makes this a priority for organizations running Kentico CMS.

Technical ContextAI

Kentico Xperience is an ASP.NET-based enterprise CMS and digital experience platform. The vulnerability resides in the Staging Sync Server module, which handles content synchronization between environments. The flaw is rooted in CWE-22 (Path Traversal) where the application fails to properly sanitize user-supplied file paths during upload operations. Attackers can manipulate relative path parameters (e.g., '../../../') to write files outside intended directories. By uploading executable content such as ASPX web shells to web-accessible locations, attackers achieve server-side code execution with the privileges of the IIS application pool. The CPE identifier cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:* confirms the Xperience product line is affected through version 13.0.178. The CVSS vector (AV:N/AC:L) indicates network-accessible exploitation with low complexity once authenticated access is obtained.

RemediationAI

Apply the vendor-released hotfix immediately from Kentico DevNet (https://devnet.kentico.com/download/hotfixes) to upgrade beyond version 13.0.178. Kentico provides version-specific patches through their support portal requiring authenticated access. If immediate patching is not feasible, disable the Staging Sync Server module entirely in web.config or IIS application settings until patching can occur - this prevents exploitation but breaks content synchronization workflows between staging and production environments. Restrict network access to Staging Sync endpoints using IP allowlisting at firewall or web application firewall level, permitting only known synchronization server IPs. Audit all administrator accounts for compromise and reset credentials, as the authentication requirement means attackers likely obtained or bypassed admin credentials. Review IIS logs and file system for suspicious ASPX uploads in non-standard directories, checking for web shells created post-exploitation. Note that disabling Staging Sync impacts content deployment workflows and may require manual promotion processes.

CVE-2025-2749 vulnerability details – vuln.today

Back

Kentico Xperience CVE-2025-2749

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code