CVE-2025-2749

CVE-2025-2749 is an authenticated remote code execution vulnerability in Kentico Xperience. It enables authenticated users with access to the Staging Sync Server to upload arbitrary data to path-relative locations, resulting in path traversal and arbitrary file upload, including server-side executable content that leads to remote code execution. This issue affects Kentico Xperience versions through 13.0.178 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), mapped to CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

The vulnerability can be exploited by authenticated users possessing high privileges (PR:H) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N) required. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the same security scope (S:U), specifically by executing arbitrary code on the server.

Kentico provides hotfixes via their devnet download portal for mitigation. Advisories from VulnCheck detail the Staging Media file upload mechanism enabling authenticated RCE, while Watchtower Labs describes authentication bypass techniques forming a pre-auth RCE chain. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) lists CVE-2025-2749 in its Known Exploited Vulnerabilities Catalog, indicating active real-world exploitation.

Security practitioners should prioritize patching affected Kentico Xperience instances, given the confirmed exploitation status and potential for privilege escalation chains.