CISA warns of active exploitation of critical authentication bypass flaws in Kentico Xperience CMS
Take action: If you're using Kentico Xperience CMS with the Staging Sync Server enabled (any version before 13.0.179), update immediately to version 13.0.179 or later. Attackers are actively exploiting flaws to take complete control of systems. If you can't update, disable the Staging Sync Server entirely or restrict network access to trusted internal IPs.
Learn More
CISA is warning of active exploitation of two critical authentication bypass flaws in Kentico Xperience CMS when the Staging Sync Server component is enabled and configured. The flaws allow unauthenticated attackers to bypass the Staging Sync Server's authentication mechanisms, potentially gaining administrative control over the entire CMS.
Vulnerabilities summary:
- CVE-2025-2746 (CVSS score 9.8): An authentication bypass vulnerability in the Staging Sync Server's digest authentication mechanism that exploits a flaw in password handling of empty SHA1 usernames. When an invalid or non-existent username is provided during the SOAP authentication handshake, the system improperly handles the password check by returning an empty password string instead of rejecting the login attempt.
- CVE-2025-2747 (CVSS score 9.8): An authentication bypass vulnerability via the Staging Sync Server component password handling for the server-defined None type. The service erroneously grants access when receiving SOAP requests without proper password credentials, effectively logging in attackers with full privileges.
Researchers chained these authentication bypasses with a post-authentication file upload vulnerability (CVE-2025-2749) to achieve full remote code execution on the server, leading to complete compromise of the host.
Affected versions of Kentico Xperience include:
- Kentico Xperience versions through 13.0.172 (CVE-2025-2746)
- Kentico Xperience versions through 13.0.178 (CVE-2025-2747)
- All versions prior to 13.0.179 when the Staging (Sync) Service is enabled and configured
Versions that are not affected:
- Kentico Xperience version 13.0.179 and later versions (includes patches for both vulnerabilities)
- Kentico Xperience version 13.0.173 and later (CVE-2025-2746 patched)
- Kentico Xperience version 13.0.178 and later (CVE-2025-2747 patched)
CISA has directed all Federal Civilian Executive Branch agencies to apply vendor mitigations by November 10, 2025, and private organizations are strongly encouraged to follow the same timeline to minimize exposure and prevent potential attacks.
For organizations unable to immediately upgrade, security experts recommend disabling the Staging (Sync) Service endpoint if business operations permit. If the service must remain operational, organizations should restrict access to it at the network level to internal networks, VPNs, or trusted IP addresses only.
