Remote Code Execution Vulnerability in Kentico Xperience
CVE-2025-2749

Currently unrated

Key Information:

Vendor: Kentico
Status: Kentico Xperience
Vendor: CVE Published:; 24 March 2025

What is CVE-2025-2749?

An authenticated vulnerability in Kentico Xperience allows authenticated users to exploit a flaw in the Staging Sync Server, enabling them to upload arbitrary files to relative paths on the server. This flaw poses a serious risk as it facilitates path traversal and arbitrary file uploads, permitting attackers to execute potentially malicious content on the server side.

References

https://devnet.kentico.com/download/hotfixes

https://labs.watchtowr.com/bypassing-authentication-like-...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2025