Go back to All Blog posts

Exploited! Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn
March 26th, 2025

Recently, two critical security flaws were discovered in Kentico Xperience 13, a popular digital experience platform (CMS). Tracked as CVE-2025-2746 and CVE-2025-2747, these vulnerabilities allow unauthenticated attackers to bypass the Staging Sync Server’s authentication, potentially gaining administrative control over the CMS. Both issues carry a CVSS score of 9.8 (Critical) (Warning: Multiple Critical & High vulnerabilities in Kentico Xperience can lead to Remote Code Execution, Patch Immediately! | CCB Safeonweb), underlining the severity and need for immediate attention.

In this article, we’ll break down the details of these vulnerabilities and how they can be exploited, discuss the potential impact of an attack (including the risk of remote code execution), and outline steps to mitigate the threat.

What are CVE-2025-2746 and CVE-2025-2747 Kentico Xperience Authentication Bypass Vulnerabilities?

Affected Software: These vulnerabilities affect Kentico Xperience through version 13.0.178 (all hotfixes prior to 13.0.179) when the Staging (Sync) Service is enabled and configured to use username/password authentication (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution). The Staging service is a web service (SOAP API) used to synchronize content between environments (e.g. development, staging, production). By default this service is disabled, but it’s often enabled in deployments that use content staging functionality. Notably, installations using X.509 certificate-based authentication for the Staging service are not affected (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution).

CVE-2025-2746: An authentication bypass in the Staging Sync Server’s digest authentication mechanism. When an invalid or non-existent username is provided during the SOAP authentication handshake, the system improperly handles the password check – it returns an “empty” password string instead of rejecting the login attempt (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution). In environments allowing digest-based authentication, this logic flaw lets an attacker present a specially crafted credential that the server accepts as valid, despite not knowing any real password. In short, an attacker can bypass the password check by exploiting how the system treats an empty SHA-1 password hash (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution) (Bypassing Authentication Like It’s The ‘90s – Pre-Auth RCE Chain(s) in Kentico Xperience CMS).

CVE-2025-2747: A second authentication bypass in the Staging service due to the handling of the “None” password type. This leverages a logical flaw in Microsoft’s obsolete WSE 3.0 (Web Services Enhancement) library integrated into Kentico (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution). If an attacker sends a UsernameToken with no <Password> element at all, the underlying authentication code fails to validate it properly. The absence of a password (PasswordOption “SendNone”) isn’t caught, allowing the request to proceed as authenticated (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution). Essentially, providing only a username (and omitting the password) in the SOAP header can trick the service into treating the session as authenticated.

In both cases, a remote attacker with no prior access can exploit these flaws to bypass authentication on the Kentico Xperience Staging SOAP API (Warning: Multiple Critical & High vulnerabilities in Kentico Xperience can lead to Remote Code Execution, Patch Immediately! | CCB Safeonweb). Successful exploitation means the attacker can now interact with the CMS’s staging functionality with administrative privileges, without ever supplying valid credentials.

Exploiting the Vulnerabilities

Exploitation requires the Kentico Xperience Staging service to be enabled and reachable by the attacker. The attacker crafts SOAP requests to the Staging Sync Server (SyncServer.asmx) to subvert the authentication process:

  1. CVE-2025-2746 – Digest Authentication Bypass via Empty Password Hash: By manipulating the SOAP request to use WS-Security PasswordDigest authentication with a nonexistent username, an attacker can bypass the login. When Kentico’s service looks up the provided username and doesn’t find a match, it erroneously uses an empty string as the stored password hash. The attacker can compute a digest value that corresponds to an empty password (since the hash formula simplifies to SHA1(nonce + created + “”)) (Bypassing Authentication Like It’s The ‘90s – Pre-Auth RCE Chain(s) in Kentico Xperience CMS). By placing this value in the wsse:Password field of the SOAP header, the attacker gets authenticated successfully. For example, a malicious request may look like:
POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1

Host: vulnerable-site.com

Content-Type: text/xml; charset=utf-8

SOAPAction:

"http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData"

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

  <soap:Header>

    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

                   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

      <wsse:UsernameToken>

        <wsse:Username>attackerNonExistentUser</wsse:Username>

        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">

          <!-- Digest of nonce+timestamp with empty password -->

          oz8c0EXAMPLEg==

        </wsse:Password>

        <wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Ng==</wsse:Nonce>

        <wsu:Created>2025-03-01T12:00:00Z</wsu:Created>

      </wsse:UsernameToken>

    </wsse:Security>

  </soap:Header>

  <soap:Body> ... </soap:Body>

</soap:Envelope>

In the above, the attacker-controlled UsernameToken is crafted so that the server’s authentication logic ends up comparing an empty stored password to an empty password digest – and incorrectly treats it as a match (Bypassing Authentication Like It’s The ‘90s – Pre-Auth RCE Chain(s) in Kentico Xperience CMS) (Bypassing Authentication Like It’s The ‘90s – Pre-Auth RCE Chain(s) in Kentico Xperience CMS). This gives the attacker administrative access to the Staging API with no valid credentials.

  1. CVE-2025-2747 – Missing Password Token Bypass: This method is even simpler. The attacker sends a SOAP request with a UsernameToken that includes a username (for example, an known admin account) but omits the password field entirely. Due to the WSE 3.0 library’s flawed handling of the “SendNone” option, the absence of a password isn’t properly invalidated (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution). As long as the username corresponds to a real user on the system (especially one with high privileges), the authentication check succeeds with no password required (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution). In practice, the attacker only needs to know or guess a valid username (e.g. the default administrator account) to leverage this exploit. The SOAP request’s security header would look like:
<wsse:Username>Administrator</wsse:Username>

    <!-- No wsse:Password tag provided -->

</wsse:UsernameToken>

Upon receiving such a token, the service erroneously grants access, effectively logging in the attacker as that user with full privileges.

Both exploits can be carried out over the network with a simple HTTP POST to the …/Staging/SyncServer.asmx endpoint, and do not require any prior authentication (they are pre-auth exploits). WatchTowr Labs researchers have demonstrated that these issues can be trivially automated using Python scripts to obtain a valid session token and subsequently call admin-level CMS functions (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution) (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution).

Potential Risks

The impact of CVE-2025-2746 and CVE-2025-2747 is severe. In a vulnerable configuration, an attacker who exploits either vulnerability essentially becomes an administrator on the CMS. Key risks include:

In summary, a successful exploit of CVE-2025-2746 or CVE-2025-2747 can lead to complete compromise of the Kentico Xperience instance, up to and including full server takeover. Given the critical nature of these bugs (each rated 9.8 Critical), administrators should treat this as an emergency and respond immediately.

Mitigation Steps

Protecting against these vulnerabilities involves both applying patches and adjusting configurations:

  1. Patch/Upgrade Kentico Xperience: The ideal solution is to update to a fixed version of Kentico Xperience. Kentico has released hotfixes addressing these issues – CVE-2025-2746 was fixed in 13.0.173 and CVE-2025-2747 in 13.0.178 (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution). It is strongly recommended to upgrade to Kentico Xperience 13.0.179 or later, which includes patches for both vulnerabilities. Applying the latest hotfix ensures that the Staging service correctly handles authentication tokens (invalid users now throw exceptions instead of returning empty passwords, and “None” password tokens are properly rejected). Always test patches in a staging environment first, but deploy them as soon as possible given the critical risk.
  2. Disable or Restrict the Staging Service: If you cannot immediately patch, disable the Staging (Sync) Service to eliminate the vulnerable endpoint (Warning: Multiple Critical & High vulnerabilities in Kentico Xperience can lead to Remote Code Execution, Patch Immediately! | CCB Safeonweb). The Staging service may be turned off via Kentico’s settings if it’s not in active use. Disabling it will prevent any exploitation of these flaws at the cost of temporarily suspending content synchronization tasks. If business needs require the service to remain on, consider restricting access to it at the network level (e.g., allow connections only from trusted IPs or internal networks, block external access via firewall). Isolation of the staging endpoint will significantly reduce the attack surface.
  3. Use Certificate-Based Authentication: As a configuration workaround, switch the Staging service to use X.509 certificate authentication instead of username/password. Kentico Xperience supports using client certificates for the Staging Sync Server authentication. Using this mode avoids the vulnerable code paths in the WS-Security UsernameToken handling (Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution). This should be done only if feasible in your environment (as it requires managing certificates), but it provides an immediate mitigation against the described exploits.
  4. Monitor and Harden: Increase monitoring of your Kentico deployment for any suspicious SOAP calls to the Staging service URL. Although no known attacks were publicly reported at the time of writing (Warning: Multiple Critical & High vulnerabilities in Kentico Xperience can lead to Remote Code Execution, Patch Immediately! | CCB Safeonweb), attackers may quickly develop exploits. Ensure your logging and intrusion detection systems are capturing SOAP API calls. Additionally, if your Kentico admin user accounts use easily guessable usernames (like “Administrator”), consider renaming or adding another layer of protection (though not a substitute for patching, it can make exploitation slightly harder for CVE-2025-2747 which relies on knowing a valid username).

By taking the above steps—patching or hotfixing as priority #1, and implementing workarounds as needed—you can mitigate the risk from these vulnerabilities. Given the potential for pre-auth RCE and total system compromise, organizations should treat this as a top priority in their vulnerability management queue.

Am I Impacted by CVE-2025-2746 or CVE-2025-2747?

IONIX is actively tracking these vulnerabilities. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the threat center of the IONIX portal.

References

  • Multiple Critical & High vulnerabilities in Kentico Xperience (CVE-2025-2746, 2747, 2749) – March 25, 2025
  • NIST National Vulnerability Database entry for CVE-2025-2746
  • NIST National Vulnerability Database entry for CVE-2025-2747
  • “Bypassing Authentication Like It’s The ‘90s” – Technical blog by watchTowr Labs disclosing WT-2025-0006/0011 (CVE-2025-2746/2747) and RCE chain
  • “Kentico Xperience CMS Authentication Bypass Vulnerability Leads to Remote Code Execution” – Article summarizing the vulnerabilities and their impact

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Amit Sheps
March 26th, 2025
Exploited! Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)
Learn more
Amit Sheps
March 12th, 2025
Exploited! Apache Tomcat Path Equivalence Vulnerability (CVE-2025-24813)
Learn more
Fara Hain
March 03rd, 2025
Can Autonomous LLM Agents Exploit One Day Vulnerabilities?
Learn more