CVE-2025-2749

What is Kentico Xperience?

Kentico Xperience is a .NET-based digital experience platform (DXP) and content management system (CMS) used by organizations to build and manage websites, e-commerce portals, and digital marketing campaigns. It is popular in enterprise, higher education, healthcare, and government sectors. The platform includes a Staging Sync Server feature that allows content to be synchronized between Kentico environments (e.g., staging to production), which is the component affected by this vulnerability.

Because Kentico Xperience installations typically run as ASP.NET applications on Windows IIS servers and handle content publication workflows, a compromise gives attackers the ability to execute arbitrary code within the web application's context — effectively owning the web server.

Overview

CVE-2025-2749 is an authenticated path traversal and arbitrary file upload vulnerability in the Staging Sync Server component of Kentico Xperience. An authenticated attacker — one who holds valid Staging Sync Server credentials — can upload arbitrary files to path-relative locations outside the intended upload directory. If the attacker uploads an ASP.NET script (e.g., a .aspx webshell) to a web-accessible directory, it will be executed server-side by IIS, resulting in full remote code execution (RCE) within the application's context.

Affected Versions

The vulnerability was reported by VulnCheck and affects the entire Kentico Xperience 13 branch up to and including build 13.0.178.

Technical Details

The Staging Sync Server in Kentico Xperience is a component designed to transfer content and configuration between Kentico environments. It exposes a file upload interface used during the synchronization process.

The flaw lies in insufficient validation of file paths during upload. The Staging Sync Server does not properly restrict the target path of uploaded files to a safe, designated directory. By manipulating path parameters with relative traversal sequences (e.g., ../../), an authenticated attacker can direct uploaded file content to arbitrary locations on the server's filesystem.

Attack chain to RCE:

1. Attacker authenticates to the Staging Sync Server with valid credentials
2. Attacker crafts a file upload request with a path-traversal sequence targeting a web-accessible directory (e.g., the site root or a known public folder)
3. Attacker uploads a malicious ASP.NET webshell (e.g., shell.aspx) to that directory
4. Attacker accesses the uploaded file via HTTP, triggering IIS to execute the ASP.NET code
5. Attacker has arbitrary command execution on the web server

Attack characteristics:

• Authentication required: Yes — valid Staging Sync Server credentials
• Attack complexity: Low (once credentials are obtained)
• Network-accessible: Yes
• User interaction: None
• Potential impact: Full RCE, data theft, malware deployment, persistent access

Although authentication is required, organizations that use Staging Sync Server may expose it to a broader set of users (e.g., content editors, staging administrators) than the primary CMS admin panel. Phishing or credential stuffing can satisfy the authentication requirement.

Discovery

CVE-2025-2749 was discovered and reported by VulnCheck, which submitted the CVE to NVD on March 24, 2025. The vulnerability was confirmed as actively exploited in the wild at or shortly after the time of disclosure.

Exploitation Context

CISA confirmed active exploitation of CVE-2025-2749 when adding it to the KEV catalog on April 20, 2026. SecurityWeek reported that the flaw had been exploited in real-world attacks against Kentico Xperience installations, with threat actors using it alongside other recently exploited vulnerabilities in enterprise software (Cisco SD-WAN, Zimbra ZCS) added to KEV in the same batch.

The primary exploitation path involves uploading ASP.NET webshells to gain persistent remote code execution on the underlying Windows server. From there, attackers typically move to credential harvesting, lateral movement, and data exfiltration.

Remediation

1. Apply the Kentico hotfix — upgrade Kentico Xperience to a version beyond 13.0.178. Download hotfixes from devnet.kentico.com/download/hotfixes.
2. If immediate patching is not possible, restrict network access to the Staging Sync Server endpoint to only trusted administrative IP addresses via firewall or IIS IP restrictions.
3. Audit and minimize Staging Sync Server accounts — apply the principle of least privilege, ensuring only accounts that genuinely require this feature have access.
4. Scan web-accessible directories for unexpected .aspx, .ashx, or other script files that could be webshells uploaded by attackers.
5. Review IIS access logs for unusual POST requests to the Staging Sync Server endpoint, particularly those with path traversal sequences (../, %2e%2e%2f).
6. Check for signs of lateral movement from the web server to internal systems — credential theft tools, unusual PowerShell execution, or new local/domain accounts.