CVE-2025-2749 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-03-24

Added to CISA KEV: 2026-04-20 392 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update Kentico Xperience to version newer than 13.0.178 using hotfixes from https://devnet.kentico.com/download/hotfixes
Audit Staging Sync Server authentication and user permissions - disable unnecessary accounts
Monitor file upload activities and scan for web shells in web directories
Review server logs for suspicious file upload attempts and path traversal patterns
Implement file upload restrictions and validation if not already in place
Priority: CRITICAL - Patch immediately due to active exploitation and RCE capability

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-2749 is a critical security vulnerability affecting Kentico Xperience that has been confirmed as actively exploited in the wild, including in campaigns linked to ransomware activity ^[1] ^[5].

Vulnerability Overview

Description: The vulnerability is an authenticated remote code execution (RCE) flaw involving path traversal in the Staging Sync Server component of Kentico Xperience ^[2] ^[6].
Impact: Successful exploitation allows an attacker to upload arbitrary files to any path location on the server, which can be leveraged to achieve remote code execution ^[3] ^[6]. It has a high impact on the confidentiality, integrity, and availability of the affected system ^[3].

Exploitation and Requirements

Attack Vector: The vulnerability is classified as a network-based attack, though it requires the attacker to have authenticated access to the Staging Sync feature ^[4] ^[5].
Privileges: High privileges are required to perform the attack ^[3].
Active Exploitation: The flaw is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming it is being actively exploited in the wild ^[5]. It has been specifically identified in reports regarding vulnerabilities linked to ransomware campaigns ^[1].
Exploit Availability: Public proof-of-concept (PoC) exploits or detection templates (such as Nuclei templates) have been associated with this vulnerability to facilitate detection and exploitation analysis ^[1].

Affected Versions and Mitigation

Affected Versions: The vulnerability affects Kentico Xperience versions up to and including 13.0.178 ^[6].
Status: Users are strongly advised to apply the latest security patches provided by the vendor to mitigate this risk. Organizations should consult CISA’s BOD 22-01 and the Known Exploited Vulnerabilities Catalog for further guidance on remediation requirements ^[2].

Sources

April 2026 CVE Landscape - Recorded Future
CVE-2025-2749 99 Kentico Xperience. List of vulnerabilities that were actively exploited in April linked to ransomware activity. those linked ... CVE-2025-2749. 99. Kentico Xperience.Exploitation Analysis. This section highlights some of the highest-impact, actively exploited vulnerabilities this mo…
CVE-2025-2749 Detail - NVD
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only…
Warning: Multiple Critical & High
Exploiting CVE-2025-2746 or CVE-2025-2747 could allow threat actors to bypass password authentication in the staging Sync Server component, which could escalate to gaining unauthorized administrative access. ... Exploiting CVE-2025-2749 can allow threat actors to upload arbitrary files to any path l…
CVE-2025-2749 - Vulnerability Details - OpenCVE
The CVSS score of 7.2 indicates high severity, while the EPSS score of 5% reflects a lower exploitation probability. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, underscoring active exploitation risk. Because the flaw requires authenticated access to the Staging Syn…
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal ...
CVE-2025-2749 (CVSS score: 7.2) - A path traversal vulnerability in Kentico Xperience that could allow an authenticated user's Staging Sync ... CVE-2025-2749 (CVSS score: 7.2) - A path traversal vulnerability in Kentico Xperience that could allow an authenticated user's Staging Sync Server to upload…
CVE-2025-2749 Description, Impact and Technical Details
Summary. CVE-2025-2749 is a vulnerability affecting Kentico Xperience versions up to 13.0.178. Authenticated users of the Staging Sync Server can exploit an authenticated remote code execution issue to upload arbitrary data with the use of path traversal techniques. This results in the unintended ex…