Cyber Security News

Kentico Xperience CMS Vulnerability Enables Remote Code Execution

In recent security research, vulnerabilities in the Kentico Xperience CMS have come to light, highlighting significant risks for users who rely on this Content Management System (CMS).

Specifically, two primary issues were identified: an Authentication Bypass vulnerability and a Post-Authentication Remote Code Execution (RCE) vulnerability.

These vulnerabilities, collectively forming a powerful exploit chain, allow attackers to gain full control over the CMS.

Kentico Xperience is a popular enterprise-level CMS written in C#, widely used by large businesses. Despite its widespread adoption, the CMS had a surprisingly low number of critical vulnerabilities reported before this discovery.

This lack of reported vulnerabilities by WatchTowr Labs, coupled with the valuable data it manages, makes Kentico an attractive target for attackers.

Authentication Bypass Vulnerability (WT-2025-0006)

The first vulnerability, WT-2025-0006, was an Authentication Bypass affecting versions before Kentico Xperience 13.0.173.

This vulnerability exploits the Staging Service API, which is not enabled by default but is common in configurations where users opt for username/password authentication instead of X.509-based authentication.

To exploit this vulnerability, attackers target the CMS.Synchronization.WSE3.SyncServer service, which uses WS-Security to secure SOAP requests.

Specifically, the Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager class is involved in verifying password tokens.

However, when an invalid username is provided, the authentication process returns an empty string instead of throwing an exception.

Although directly sending an empty password is blocked by validation checks, attackers can bypass authentication by using a hashed password verification mechanism (PasswordDigest).

By manipulating the Nonce and Timestamp, an attacker can craft a valid authentication token, exploiting the fact that an empty password (when hashed) can be used.

<wsse:UsernameToken>
  <wsse:Username>watchTowr</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OZ/c8o7h3mtigow7HXu0f+BUgLk=</wsse:Password>
  <wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM=</wsse:Nonce>
  <wsu:Created>2025-01-01T03:34:56Z</wsu:Created>
</wsse:UsernameToken>

Post-Authentication Remote Code Execution (WT-2025-0007)

After bypassing authentication, attackers can leverage the ProcessSynchronizationTaskData method in the Staging API to perform RCE. This method deserializes StagingTaskData using SoapFormatter, which is hardened but still powerful enough for exploitation.

The vulnerability lies in the ability to create or update objects within Kentico, notably media files. By manipulating the TaskData XML payload, an attacker can exploit a path traversal vulnerability to write files to arbitrary locations.

Specifically, by setting the FilePath in Media_File to a path outside the intended media library, such as ../../../../../../../../inetpub/wwwroot/Kentico13/CMS/CMSPages/, attackers can upload executable files to achieve RCE.

<Media_File>
  <FileID>1</FileID>
  <FileName>webshell.aspx</FileName>
  <FileExtension>.aspx</FileExtension>
  <FilePath>../../../../../../../../inetpub/wwwroot/Kentico13/CMS/CMSPages/</FilePath>
  <FileSize>20</FileSize>
  <FileGUID>993e29f9-086b-4110-872f-5cff26968a7b</FileGUID>
</Media_File>

Additional Authentication Bypass (WT-2025-0011)

Another Authentication Bypass vulnerability was discovered in WSE3’s VerifyPassword method.

When the Password Option is SendNone, no password validation is performed, allowing authentication bypass simply by providing a valid username without a password.

This exploit required providing a valid username for versions between 13.0.173 and 13.0.177, but potentially vulnerable to brute-forcing common usernames like “admin.”

Kentico addressed the first Authentication Bypass (WT-2025-0006) in version 13.0.173 by modifying the AuthenticateToken method to throw an exception on invalid usernames.

However, the Post-Auth RCE vulnerability remained unpatched until version 13.0.178.

Affected Product Table

Vulnerability IDVulnerability TypeDescriptionAffected VersionsCVE
WT-2025-0006Authentication BypassAllows authentication bypass by manipulating WS-Security tokens.Prior to Kentico Xperience 13.0.173None
WT-2025-0007Post-Authentication RCEEnables remote code execution after initial authentication bypass.Prior to 13.0.178 (for full patch)None
WT-2025-0011Authentication BypassAdditional bypass vulnerability resolved in 13.0.178.Prior to 13.0.178None

Recommendations:

  • Update Kentico Xperience CMS to the latest version to ensure you have the necessary patches.
  • Disable the Staging Service if not needed, or switch to X.509 authentication.
  • Monitor CMS configurations for unexpected changes or suspicious activity.

Detection scripts for these vulnerabilities are available on GitHub to help security teams verify if their instances are vulnerable.

The vulnerabilities identified in Kentico Xperience CMS underscore the importance of continuous security monitoring and updates.

By chaining these vulnerabilities, attackers can achieve full control over affected systems, highlighting the need for proactive security measures and vendor engagement.

The rapid response from Kentico demonstrates the value of responsible disclosure and patching in mitigating such threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant traction…

4 minutes ago

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which is…

6 minutes ago

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion tools,…

9 minutes ago

MassJacker Clipper Malware Targets Users Installing Pirated Software

A recent investigation has uncovered previously unknown cryptojacking malware, dubbed MassJacker, which primarily targets users…

10 minutes ago

SocGholish Exploits Compromised Websites to Deliver RansomHub Ransomware

SocGholish, a sophisticated malware-as-a-service (MaaS) framework, has been identified as a key enabler in the…

12 minutes ago

New Steganographic Malware Hides in JPG Files to Deploy Multiple Password Stealers

A recent cybersecurity threat has emerged in the form of a steganographic campaign that uses…

13 minutes ago