High severity7.2CISA KEVNVD Advisory· Published Mar 24, 2025· Updated Apr 21, 2026
CVE-2025-2749
CVE-2025-2749
Description
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
4- devnet.kentico.com/download/hotfixesnvdPatch
- labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/nvdExploitThird Party Advisory
- www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rcenvdThird Party Advisory
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
0No linked articles in our index yet.