Multiple critical authentication bypass vulnerabilities in Kentico Xperience CMS lead to remote code execution
Take action: If you are running Kentico Xperience CMS this is an urgent patch. By the very design a CMS system is exposed on the internet. As an workaround, disable the Staging (Sync) Service, or switch the Staging service to use X.509 certificate authentication instead of username/password. In reality, disabling and patching is the way to go. Don't delay, you will be hacked.
Learn More
Two critical security vulnerabilities have been discovered in Kentico Xperience 13, a popular content management platform (CMS). The flaws allow unauthenticated attackers to bypass authentication in the Staging Sync Server, potentially gaining administrative control over the entire CMS.
Vulnerability summary
- CVE-2025-2746 (CVSS score 9.8) - Authentication bypass in the Staging Sync Server's digest authentication mechanism. This vulnerability exploits a flaw in the Staging Sync Server's digest authentication mechanism. When an invalid or non-existent username is provided during the SOAP authentication handshake, the system improperly handles the password check by returning an empty password string instead of rejecting the login attempt. An attacker can bypass authentication by manipulating the SOAP request to use WS-Security PasswordDigest authentication with a nonexistent username, computing a digest value that corresponds to an empty password.
- CVE-2025-2747 (CVSS score 9.8) - Authentication bypass in the Staging service due to improper handling of "None" password type. This vulnerability leverages a logical flaw in Microsoft's obsolete WSE 3.0 (Web Services Enhancement) library integrated into Kentico. If an attacker sends a UsernameToken with no Password element at all, the underlying authentication code fails to validate it properly. By providing only a username (and omitting the password) in the SOAP header, an attacker can trick the service into treating the session as authenticated.
These vulnerabilities affect Kentico Xperience through version 13.0.178 (all hotfixes prior to 13.0.179) when the Staging (Sync) Service is enabled and configured to use username/password authentication. By default, the Staging service is disabled, but it's often enabled in deployments that use content staging functionality. Installations using X.509 certificate-based authentication for the Staging service are not affected.
Successful exploitation of either vulnerability allows an unauthenticated attacker to gain administrative access to the Kentico Xperience CMS. The vulnerabilities can be chained with a post-authentication file upload vulnerability (CVE-2025-2749) to achieve full remote code execution on the server.
Users are advised to upgrade to Kentico Xperience 13.0.179 or later, which includes patches for both vulnerabilities.. CVE-2025-2746 was fixed in 13.0.173 and CVE-2025-2747 was fixed in 13.0.178
If immediate patching is not possible, disable the Staging (Sync) Service to eliminate the vulnerable endpoint. If business needs require the service to remain on, restrict access to it at the network level.
Consider switching the Staging service to use X.509 certificate authentication instead of username/password, as this authentication method is not affected by the vulnerabilities.
