Search

Kentico Xperience CVE-2025-2749 Authenticated Remote Code Execution

CISA added CVE-2025-2749 to the Known Exploited Vulnerabilities (KEV) catalog on April 20, 2026. The vulnerability is an authenticated remote code execution flaw in Kentico Xperience (versions through 13.0.178) arising from path traversal and unrestricted file upload in the Staging Sync Server component. The CVSS 3.1 base score is 7.2 (HIGH), and CISA's SSVC assessment classifies the exploitation as active with total technical impact. A hotfix is available via the vendor's download page.

CISA Adds Eight Known Exploited Vulnerabilities to Catalog

CISA added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on April 20, 2026. The vulnerabilities include CVE IDs for PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager. CISA cites evidence of active exploitation and notes these are frequent attack vectors posing significant risk to the federal enterprise.

KENTICO Trademark Application Published for Opposition

The USPTO has published the trademark application for KENTICO, covering software for digital marketing content management and related services. The application was published for opposition on March 26, 2026, with a filing date of January 28, 2025.