Vulnerability-Lookup

CNVD-2026-05137

Vulnerability from cnvd - Published: 2026-01-20

Title

Kentico Xperience存在未明漏洞

Description

Kentico Xperience是Kentico公司的一个数字体验平台。 Kentico Xperience存在安全漏洞，攻击者可利用该漏洞导致路径遍历和任意文件上传，包括可在服务器端执行的内容，从而导致远程代码执行。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://devnet.kentico.com/download/hotfixes

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-2749

Impacted products

Name
Kentico xperience <=13.0.178

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-2749",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-2749"
    }
  },
  "description": "Kentico Xperience\u662fKentico\u516c\u53f8\u7684\u4e00\u4e2a\u6570\u5b57\u4f53\u9a8c\u5e73\u53f0\u3002\n\nKentico Xperience\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8def\u5f84\u904d\u5386\u548c\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\uff0c\u5305\u62ec\u53ef\u5728\u670d\u52a1\u5668\u7aef\u6267\u884c\u7684\u5185\u5bb9\uff0c\u4ece\u800c\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://devnet.kentico.com/download/hotfixes",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-05137",
  "openTime": "2026-01-20",
  "products": {
    "product": "Kentico xperience \u003c=13.0.178"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-2749",
  "serverity": "\u9ad8",
  "submitTime": "2025-03-28",
  "title": "Kentico Xperience\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2025-2749 (GCVE-0-2025-2749)

Vulnerability from cvelistv5 – Published: 2025-03-24 18:18 – Updated: 2025-12-17 19:33

Title

Kentico Xperience <= 13.0.178 Staging Media File Upload Authenticated RCE

Summary

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

Severity ?

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

VulnCheck

References

URL

Tags

	https://labs.watchtowr.com/bypassing-authenticati…	technical-descriptionexploit
	https://devnet.kentico.com/download/hotfixes	vendor-advisorypatch
	https://www.vulncheck.com/advisories/kentico-xper…	third-party-advisory

Impacted products

	Vendor	Product	Version
	Kentico	Xperience	Affected: 0 , ≤ 13.0.178 (custom)

Credits

Piotr Bazydlo (watchTowr)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2749",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-24T19:11:52.756220Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-24T19:16:31.029Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Staging"
          ],
          "product": "Xperience",
          "vendor": "Kentico",
          "versions": [
            {
              "lessThanOrEqual": "13.0.178",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "13.0.178",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Piotr Bazydlo (watchTowr)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.\u003cp\u003eThis issue affects Kentico Xperience through 13.0.178.\u003c/p\u003e"
            }
          ],
          "value": "An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-650",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-650 Upload a Web Shell to a Web Server"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-17T19:33:42.624Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "technical-description",
            "exploit"
          ],
          "url": "https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/"
        },
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://devnet.kentico.com/download/hotfixes"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Kentico Xperience \u003c= 13.0.178 Staging Media File Upload Authenticated RCE",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-2749",
    "datePublished": "2025-03-24T18:18:07.228Z",
    "dateReserved": "2025-03-24T16:39:22.986Z",
    "dateUpdated": "2025-12-17T19:33:42.624Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-05137

CVE-2025-2749 (GCVE-0-2025-2749)

Tags

Sightings

Nomenclature