Log in
A critical authentication bypass in Kentico Xperience CMS lets attackers log in with only a username, chain to file-write, and execute code. Fixed in 13.0.178; CISA confirms active exploitation since Dec 2024.
A dusty corner of Kentico’s enterprise-grade content-management system—its Staging Sync Service—is under active attack thanks to a pair of "1990s-style" authentication bugs that let anyone on the network become a CMS admin without supplying a password. The flaw, tracked as CVE-2025-2747, carries a CVSS 9.8/10 score and was quietly added to CISA’s Known Exploited Vulnerabilities catalog after researchers saw ransomware crews weaponizing it in the wild.
Late last year, WatchTowr researcher Piotr Bazydlo was poking at Kentico’s SOAP-based staging interface when he noticed something odd: the service, which uses Microsoft’s long-retired Web Services Enhancements 3.0 (WSE3) library, would accept a WS-Security UsernameToken that contained only a username—no password required. Digging deeper, he realized WSE3 returns an empty password string for any non-existent account and that Kentico’s verification logic cheerfully treats an empty password as valid. A second variant (patched in hotfix 173 but still bypassable) accepts a password-digest computed over an empty secret, producing the same result.
With staging privileges in hand, Bazydlo then abused a path-traversal quirk in the media-upload API to write an ASPX webshell anywhere on the web root, completing an unauthenticated remote-code-execution chain. Public proof-of-concept code was released March 17; within days CISA flagged "generic ransomware activity" abusing the bug.
Think of the Staging Service as a side door reserved for content editors. Instead of a key, it relies on an older electronic keypad (WSE3). If you type any name and hit Enter without a code, the keypad still buzzes you in. Once inside, you reach a storage room (media library) whose file cabinet accepts a folder path. Append ../../inetpub/wwwroot/shell.aspx and the cabinet dutifully places your file outside the protected media directory.
Simplified attack flow:
https://site/CMSPages/Staging/SyncServer.asmx with a SOAP envelope containing:ProcessSynchronizationTaskData, embedding an ASPX payload in TaskBinaryData and setting librarySubFolderPath to ../../shell.aspx./shell.aspx; code runs under the IIS application-pool identity.Kentico patched the chain in hotfix 13.0.178 released March 6.
Kentico | Kentico Xperience CMS | 12.x (all builds), 13.0.0 – 13.0.177 | ≥ 13.0.178 |
Staging is enabled with username/password authentication by default on many installations, particularly in load-balanced or multi-environment configurations. Kentico claims over 30,000 sites worldwide; CISA’s KEV entry singles out U.S. state and federal agencies among high-value targets.
/CMSPages/Staging/SyncServer.asmx at the WAF or firewall unless business-critical.CVE-2025-2747 is the latest reminder that obsolete middleware never truly retires—it just waits for a security researcher (or ransomware gang) to notice. Microsoft deprecated WSE3 in 2009. Yet its remnant code lives inside countless enterprise platforms that layered extra security assumptions on top. When those assumptions break—as they did here—the resulting trust gap spans the entire application stack.
Kentico has pledged to migrate staging communication away from WSE3, but no timeline has been announced. Until then, defenders should treat any product still relying on WSE3 as technical debt with an impending due date.
Bottom line: If you run Kentico Xperience 13 (or the unsupported 12.x line) and haven’t applied hotfix 178, disable staging or upgrade today. The internet’s adversaries already have working exploits—and they’re not knocking politely.
CVE-2025-2747 was assigned a CVSS score of 9.8. Kentico released patches on March 6, 2025. CISA has ordered U.S. federal agencies to remediate by November 10, 2025.