Kentico Xperience Staging Sync Server Path Traversal and RCE (CVE-2025-2749)

Severity Assessment

• Exploitability: 6/10
• Impact: 9/10
• Weaponization Risk: 7.5/10
• Patch Urgency: 8.5/10
• Detection Coverage: 5/10

Summary

CVE-2025-2749 is an authenticated path traversal and arbitrary file upload vulnerability in the Staging Sync Server component of Kentico Xperience CMS. An attacker with Staging Sync Server credentials can upload files to arbitrary server locations by supplying path traversal sequences in the upload path parameter (NVD CWE-22, CWE-434). Because Kentico Xperience is a .NET-based CMS, an attacker can upload server-executable content and trigger remote code execution (RCE) on the hosting server.

The vulnerability affects Kentico Xperience through version 13.0.178. Kentico released a patch in March 2025. Despite patch availability, CISA added CVE-2025-2749 to the Known Exploited Vulnerabilities catalog on April 20, 2026 — alongside other Cisco and Zimbra vulnerabilities — confirming active exploitation in the wild against unpatched deployments. The required remediation deadline for U.S. federal civilian agencies was May 4, 2026.

The CVSS score of 7.2 (High, AV:N/AC:L/PR:H/UI:N) reflects that staging credentials are required, which moderates the theoretical attack surface. In practice, staging environments often share or reuse credentials across development, staging, and production environments, and staging interfaces are sometimes exposed to the internet without the access controls applied to production endpoints.

Exploit Chain

The exploit targets the Staging Sync Server, a Kentico Xperience component designed to synchronize content between CMS environments:

1. The attacker presents valid Staging Sync Server credentials to authenticate against the endpoint. The cited sources do not document the specific acquisition path for those credentials.
2. The attacker sends an authenticated request to the Staging Sync Server’s file upload endpoint, including a path traversal payload in the upload path parameter.
3. The server fails to sanitize the supplied path, resolving it relative to the upload root and writing the attacker-supplied file to the traversal destination (CWE-22).
4. The attacker uploads a server-executable payload to a web-accessible location (CWE-434).
5. The attacker sends a direct HTTP request to the uploaded file’s path, triggering server-side execution and achieving RCE under the application pool’s identity.

The combination of CWE-22 (path traversal) and CWE-434 (unrestricted file upload) creates a reliable path to full server compromise once staging credentials are in hand.

Detection Guidance

1. Apply Kentico Xperience updates to version 13.0.179 or later (the fixed version per NVD’s affected-version range of through 13.0.178).
2. Audit all files in the Kentico CMS web root for unexpected ASPX, ASHX, or other server-executable files, particularly in directories outside the standard CMS content structure.
3. Review web server access logs for POST requests to the Staging Sync Server file upload endpoint from unexpected IP addresses or at unusual times.
4. Rotate all Staging Sync Server credentials and audit which accounts have staging access.
5. Restrict Staging Sync Server endpoint exposure: if staging synchronization is only required within internal networks, block external access at the network or application firewall level.
6. Alert on HTTP 200 responses to newly created or recently modified server-executable files in the web root that were not part of a known deployment.
7. Monitor for the web server worker process spawning unexpected child processes (command interpreters or network tools), which indicates successful server-side code execution.

Indicators of Compromise

Indicators consistent with CVE-2025-2749 exploitation include:

• Unexpected server-executable files appearing in the Kentico web root or subdirectories, particularly outside standard CMS content paths.
• HTTP POST requests to the Staging Sync Server file upload endpoint originating from external IP addresses or addresses not associated with known staging environments.
• The web server worker process spawning command interpreters or reconnaissance tools.
• Outbound network connections from the web server process to external infrastructure.
• Presence of web shell signatures (e.g., eval, exec, or request-parameter-driven output) in newly created server-side files.

Disclosure Timeline

2025-03-28 — Vendor patch and CVE assignment

A security patch was released for Kentico Xperience, addressing the path traversal and unrestricted file upload vulnerability in the Staging Sync Server. The vulnerability was publicly disclosed alongside the patch for versions through 13.0.178.

2026-04-20 — CISA KEV listing

CISA added CVE-2025-2749 to the Known Exploited Vulnerabilities catalog alongside other Cisco Catalyst SD-WAN Manager and Synacor Zimbra vulnerabilities, confirming active in-the-wild exploitation against unpatched Kentico Xperience deployments. The required remediation deadline was set to May 4, 2026.

2026-04-21 — Public reporting

SecurityWeek reported on the CISA KEV additions, noting that organizations running Kentico Xperience, Cisco Catalyst SD-WAN Manager, and Zimbra Collaboration Suite should treat the vulnerabilities as actively exploited and prioritize patching.

Sources & References

• National Vulnerability Database: CVE-2025-2749 — National Vulnerability Database, 2025-03-28
• CISA: Known Exploited Vulnerabilities Catalog — CVE-2025-2749 — CISA, 2026-04-20
• SecurityWeek: Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities — SecurityWeek, 2026-04-21
• CVE Details: CVE-2025-2749 — CVE Details, 2025-03-28