HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-2749

CVSS 7.2v3.1pub. 2025-03-24upd. 2026-04-21

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Kentico Xperience

    APP
    Kentico
    ≤ 13.0.178

CISA KEV — detailsi

Vendori
Kentico
Producti
Kentico Xperience
Added to KEVi
April 20, 2026
Remediation deadline (US Federal)i
May 4, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 4 maja 2026
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2025-2747CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Kentico Xperience — Authentication Bypass w komponencie Staging Sync Server

CVE-2025-2746CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Kentico Xperience – pominięcie uwierzytelnienia w Staging Sync Server

CVE-2019-10068CRITICAL9.8⚠ KEVten sam produkt

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9....

CVE-2019-12102CRITICAL9.1ten sam produkt

Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medial...

CVE-2017-17736CRITICAL9.8ten sam produkt

Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator acces...