CVE-2025-2747 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-03-24

Added to CISA KEV: 2025-10-20 210 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update to Kentico Xperience version later than 13.0.178 using available hotfixes
Review Staging Sync Server configuration and disable if not required for production
Monitor administrative access logs for suspicious activity
Implement network segmentation to isolate CMS administrative functions
PATCH PRIORITY: CRITICAL - Deploy emergency patches immediately

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-2747 is a critical authentication bypass vulnerability affecting Kentico Xperience ^[2]. Below is the summary of known information regarding this vulnerability:

Overview and Impact

Vulnerability Type: Authentication Bypass ^[2].
Impact: Successful exploitation allows an unauthorized attacker to bypass authentication mechanisms, potentially gaining administrative access to the affected Kentico Xperience environment ^[1].
Root Cause: The vulnerability resides in the password handling logic within the Staging Sync Server component, specifically concerning the "None" password type ^[2].

Exploitation and Threat Activity

Active Exploitation: CVE-2025-2747 is confirmed to have been exploited in the wild. It was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog on October 20, 2025 ^[4].
Attack Method: The vulnerability is exploitable remotely (network-based) and does not require prior authentication to the target system ^[2].
Targeted Attacks/Ransomware: While it is listed in the CISA KEV catalog—which indicates active exploitation—specific details regarding its use in widespread ransomware campaigns versus targeted espionage or data theft operations are not publicly detailed in the primary advisory records.

Affected Versions and Mitigation

Affected Versions: Kentico Xperience versions up to and including 13.0.178 are known to be affected ^[1].
Status: Organizations using affected versions are urged to apply the vendor-provided patches immediately to mitigate the risk of unauthorized access ^[1].

Proof-of-Concept (PoC) Availability

Security research and analysis regarding the mechanics of this bypass, including the "pre-auth" nature of the vulnerability, have been documented by security researchers (e.g., watchTowr Labs), which provide technical context on how the authentication bypass is achieved ^[3].

Sources

CVE-2025-2747 | Critical Vulnerability in Kentico Xperience
Critical authentication bypass in Kentico Xperience allows unauthorized access. Apply patches immediately to prevent exploitation. ... CVE-2025-2747 is a critical authentication bypass vulnerability affecting Kentico Xperience through version 13.0.178. Organizations are urged to apply necessary patc…
CVE-2025-2747 Detail - NVD
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official,…
An authentication bypass vulnerability in Kentico... · CVE-2025-2747
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million ... https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms. https://www.cisa.gov/known-exploited-vulnerabil…
CISA Adds Five Known Exploited Vulnerabilities to Catalog
CISA has added five new vulnerabilities to its KEV Catalog, based on evidence of active exploitation.

🔴 CVE-2025-2747