{"api_version":"1","generated_at":"2026-04-29T23:44:56+00:00","cve":"CVE-2025-2749","urls":{"html":"https://cve.report/CVE-2025-2749","api":"https://cve.report/api/cve/CVE-2025-2749.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-2749","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-2749"},"summary":{"title":"Kentico Xperience <= 13.0.178 Staging Media File Upload Authenticated RCE","description":"An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.","state":"PUBLISHED","assigner":"VulnCheck","published_at":"2025-03-24 19:15:52","updated_at":"2026-04-21 12:48:29"},"problem_types":["CWE-22","CWE-434","CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type"],"metrics":[{"version":"3.1","source":"disclosure@vulncheck.com","type":"Secondary","score":"7.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce","name":"https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce","refsource":"disclosure@vulncheck.com","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/","name":"https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/","refsource":"disclosure@vulncheck.com","tags":["Exploit","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://devnet.kentico.com/download/hotfixes","name":"https://devnet.kentico.com/download/hotfixes","refsource":"disclosure@vulncheck.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749","name":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-2749","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2749","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Kentico","product":"Xperience","version":"affected 13.0.178 custom","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-04-20T00:00:00.000Z","lang":"en","value":"CVE-2025-2749 added to CISA KEV"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Piotr Bazydlo (watchTowr)","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"2749","vulnerable":"1","versionEndIncluding":"13.0.178","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kentico","cpe5":"xperience","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2025","cve_id":"2749","cve":"CVE-2025-2749","vendorProject":"Kentico","product":"Kentico Xperience","vulnerabilityName":"Kentico Xperience Path Traversal Vulnerability","dateAdded":"2026-04-20","shortDescription":"Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.","requiredAction":"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","dueDate":"2026-05-04","knownRansomwareCampaignUse":"Unknown","notes":"https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2749","cwes":"CWE-22,CWE-434","catalogVersion":"2026.04.28","updated_at":"2026-04-28 17:34:35"},"epss":{"cve_year":"2025","cve_id":"2749","cve":"CVE-2025-2749","epss":"0.050510000","percentile":"0.897960000","score_date":"2026-04-28","updated_at":"2026-04-29 00:07:42"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-2749","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-20T00:00:00+00:00","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"dateAdded":"2026-04-20","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749"},"type":"kev"}}],"providerMetadata":{"dateUpdated":"2026-04-21T03:55:36.051Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749"}],"timeline":[{"lang":"en","time":"2026-04-20T00:00:00.000Z","value":"CVE-2025-2749 added to CISA KEV"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Staging"],"product":"Xperience","vendor":"Kentico","versions":[{"lessThanOrEqual":"13.0.178","status":"affected","version":"0","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*","versionEndIncluding":"13.0.178","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Piotr Bazydlo (watchTowr)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.<p>This issue affects Kentico Xperience through 13.0.178.</p>"}],"value":"An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178."}],"impacts":[{"capecId":"CAPEC-650","descriptions":[{"lang":"en","value":"CAPEC-650 Upload a Web Shell to a Web Server"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-434","description":"CWE-434 Unrestricted Upload of File with Dangerous Type","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-12-17T19:33:42.624Z","orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck"},"references":[{"tags":["technical-description","exploit"],"url":"https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/"},{"tags":["vendor-advisory","patch"],"url":"https://devnet.kentico.com/download/hotfixes"},{"tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce"}],"source":{"discovery":"UNKNOWN"},"title":"Kentico Xperience <= 13.0.178 Staging Media File Upload Authenticated RCE","x_generator":{"engine":"vulncheck"}}},"cveMetadata":{"assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","assignerShortName":"VulnCheck","cveId":"CVE-2025-2749","datePublished":"2025-03-24T18:18:07.228Z","dateReserved":"2025-03-24T16:39:22.986Z","dateUpdated":"2026-04-21T03:55:36.051Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-03-24 19:15:52","lastModifiedDate":"2026-04-21 12:48:29","problem_types":["CWE-22","CWE-434","CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type"],"metrics":{"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*","versionEndIncluding":"13.0.178","matchCriteriaId":"BC749CC3-7A20-49C8-89FB-775818670734"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"2749","Ordinal":"1","Title":"Kentico Xperience <= 13.0.178 Staging Media File Upload Authenti","CVE":"CVE-2025-2749","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"2749","Ordinal":"1","NoteData":"An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.","Type":"Description","Title":"Kentico Xperience <= 13.0.178 Staging Media File Upload Authenti"}]}}}