CVE-2025-2746
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2746 is an authentication bypass vulnerability in Kentico Xperience, affecting versions through 13.0.172. The flaw resides in the Staging Sync Server's handling of empty SHA1 usernames during digest authentication, enabling attackers to bypass authentication and gain control over administrative objects. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants control of administrative objects, potentially leading to full compromise of the affected system, including high confidentiality, integrity, and availability impacts.
Advisories from Watchtowr Labs, VulnCheck, and Kentico recommend applying hotfixes available via the official Kentico devnet download page. Proof-of-concept exploit code is publicly available on GitHub, and detailed technical analysis, including pre-authentication remote code execution chains, is documented in Watchtowr's labs blog.
This vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, indicating real-world exploitation. Security practitioners should prioritize patching affected Kentico Xperience instances.
Details
- CWE(s)
- KEV Date Added
- 20 October 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an authentication bypass in the Kentico Xperience Staging Sync Server, a public-facing web service component, enabling unauthenticated attackers to gain administrative control, directly mapping to exploitation of public-facing applications.