Contact

Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)

NetmanageIT OpenCTI - opencti.netmanageit.com

Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)



SUMMARY :

Two critical security flaws, CVE-2025-2746 and CVE-2025-2747, have been discovered in Kentico Xperience 13, a digital experience platform. These vulnerabilities allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially gaining administrative control over the CMS. Both issues have a CVSS score of 9.8, indicating their severity. The vulnerabilities affect Kentico Xperience through version 13.0.178 when the Staging Service is enabled and configured to use username/password authentication. Exploitation can lead to unauthorized administrative access, remote code execution, data breaches, and system disruption. Mitigation steps include patching, disabling or restricting the Staging Service, using certificate-based authentication, and implementing enhanced monitoring and hardening measures.

OPENCTI LABELS :

remote code execution,authentication bypass,cve-2025-2747,cve-2025-2746,kentico xperience,cve-2025-2749


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)