CVE-2025-2749
KEV
🔴 Łataj teraz
Zdalne wykonanie kodu w Kentico Xperience umożliwia uwierzytelnionym użytkownikom przesyłanie dowolnych plików.
CVSS
7.2
EPSS
3.5%
Exploit
weaponized
Vendor
kentico
Opis źródłowy (NVD)
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
exploit path-traversal rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.2 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 3.5% |
| Opublikowano (NVD) | 2025-03-24 19:15:52 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-21 12:48:29 UTC |
Referencje
- https://devnet.kentico.com/download/hotfixes (disclosure@vulncheck.com) [Patch]
- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/ (disclosure@vulncheck.com) [Exploit, Third Party Advisory]
- https://www.vulncheck.com/advisories/kentico-xperience-staging-media-file-upload-authenticated-rce (disclosure@vulncheck.com) [Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]