Description
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
Published: 2025-03-24
Score: 7.2 High
EPSS: 5.0% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user of Kentico Xperience’s Staging Sync Server can upload arbitrary data to paths relative to the application, enabling path traversal and arbitrary file upload. Uploaded content can be executed server side, resulting in remote code execution on the host. The vulnerability is tied to CWE‑22 (Path Traversal) and CWE‑434 (Unrestricted Upload of File with Dangerous Type).

Affected Systems

Kentico Xperience versions through 13.0.178 are affected. Any user with authentication to the CMS who can interact with the Staging Sync Server is potentially vulnerable. No specific OS or middleware is mentioned beyond the Kentico platform itself.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while the EPSS score of 3% reflects a lower exploitation probability. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, underscoring active exploitation risk. Because the flaw requires authenticated access to the Staging Sync feature, the attack vector is likely an insider or compromised CMS user, though the impact remains full remote code execution on the web server.

Generated by OpenCVE AI on May 2, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official hotfix available from Kentico (https://devnet.kentico.com/download/hotfixes).
  • If the hotfix cannot be applied immediately, restrict or disable the Staging Sync Server feature for all users except a minimal trusted group, and ensure it is not exposed to remote networks.
  • Monitor authentication and upload logs for anomalous activity, focusing on attempts to upload files to unexpected directories.

Generated by OpenCVE AI on May 2, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8010 An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
History

Mon, 20 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-04-20T00:00:00+00:00', 'dueDate': '2026-05-04T00:00:00+00:00'}

Tue, 04 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 04 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
Title Kentico Xperience Staging media files upload authenticated remote code execution Kentico Xperience <= 13.0.178 Staging Media File Upload Authenticated RCE

Thu, 16 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*

Mon, 24 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 18:30:00 +0000

Type Values Removed Values Added
Description An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
Title Kentico Xperience Staging media files upload authenticated remote code execution
Weaknesses CWE-22
CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Kentico Xperience
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-21T03:55:36.051Z

Reserved: 2025-03-24T16:39:22.986Z

Link: CVE-2025-2749

cve-icon Vulnrichment

Updated: 2025-03-24T18:44:16.090Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-24T19:15:52.400

Modified: 2026-04-21T12:48:29.933

Link: CVE-2025-2749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T15:15:26Z

Weaknesses