Kentico Xperience CVE-2025-2749 Authenticated Remote Code Execution
Summary
CISA added CVE-2025-2749 to the Known Exploited Vulnerabilities (KEV) catalog on April 20, 2026. The vulnerability is an authenticated remote code execution flaw in Kentico Xperience (versions through 13.0.178) arising from path traversal and unrestricted file upload in the Staging Sync Server component. The CVSS 3.1 base score is 7.2 (HIGH), and CISA's SSVC assessment classifies the exploitation as active with total technical impact. A hotfix is available via the vendor's download page.
What changed
CISA formally added CVE-2025-2749 to the KEV catalog, documenting that this Kentico Xperience vulnerability is actively exploited in the wild. The vulnerability allows authenticated users of the Staging Sync Server to perform path traversal and upload arbitrary files, enabling remote code execution on the server. Affected versions span from version 0 through 13.0.178, with a CVSS 3.1 score of 7.2 (HIGH) and CWEs 22 and 434 listed.
Federal agencies face binding remediation timelines under BOD 22-01 for vulnerabilities in the KEV catalog. Organizations running Kentico Xperience should verify whether their instances expose the Staging Sync Server functionality and apply the available hotfix from the vendor immediately, given the documented active exploitation status.
Archived snapshot
Apr 21, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: VulnCheck
Updated:
2025-12-17
Description
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
CWE 2 Total
Learn more
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 7.2 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Product Status
Learn more Versions 1 Total
Default Status: unaffected
affected
- affected from 0 through 13.0.178
Credits
- Piotr Bazydlo (watchTowr) finder
References 3 Total
- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/ technical-description exploit
- https://devnet.kentico.com/download/hotfixes vendor-advisory patch
- https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce third-party-advisory
Authorized Data Publishers
CISA-ADP
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-04-20 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749 (2026-04-20)
Mentioned entities
Parties
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.