Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)
NetmanageIT OpenCTI - opencti.netmanageit.com

SUMMARY :
Two critical security flaws, CVE-2025-2746 and CVE-2025-2747, have been discovered in Kentico Xperience 13, a digital experience platform. These vulnerabilities allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially gaining administrative control over the CMS. Both issues have a CVSS score of 9.8, indicating their severity. The vulnerabilities affect Kentico Xperience through version 13.0.178 when the Staging Service is enabled and configured to use username/password authentication. Exploitation can lead to unauthorized administrative access, remote code execution, data breaches, and system disruption. Mitigation steps include patching, disabling or restricting the Staging Service, using certificate-based authentication, and implementing enhanced monitoring and hardening measures.
OPENCTI LABELS :
remote code execution,authentication bypass,cve-2025-2747,cve-2025-2746,kentico xperience,cve-2025-2749
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)