Cyber Security News

Kentico Xperience CMS Vulnerability Enables Remote Code Execution

In recent security research, vulnerabilities in the Kentico Xperience CMS have come to light, highlighting significant risks for users who rely on this Content Management System (CMS).

Specifically, two primary issues were identified: an Authentication Bypass vulnerability and a Post-Authentication Remote Code Execution (RCE) vulnerability.

These vulnerabilities, collectively forming a powerful exploit chain, allow attackers to gain full control over the CMS.

Kentico Xperience is a popular enterprise-level CMS written in C#, widely used by large businesses. Despite its widespread adoption, the CMS had a surprisingly low number of critical vulnerabilities reported before this discovery.

This lack of reported vulnerabilities by WatchTowr Labs, coupled with the valuable data it manages, makes Kentico an attractive target for attackers.

Authentication Bypass Vulnerability (WT-2025-0006)

The first vulnerability, WT-2025-0006, was an Authentication Bypass affecting versions before Kentico Xperience 13.0.173.

This vulnerability exploits the Staging Service API, which is not enabled by default but is common in configurations where users opt for username/password authentication instead of X.509-based authentication.

To exploit this vulnerability, attackers target the CMS.Synchronization.WSE3.SyncServer service, which uses WS-Security to secure SOAP requests.

Specifically, the Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager class is involved in verifying password tokens.

However, when an invalid username is provided, the authentication process returns an empty string instead of throwing an exception.

Although directly sending an empty password is blocked by validation checks, attackers can bypass authentication by using a hashed password verification mechanism (PasswordDigest).

By manipulating the Nonce and Timestamp, an attacker can craft a valid authentication token, exploiting the fact that an empty password (when hashed) can be used.

<wsse:UsernameToken>
  <wsse:Username>watchTowr</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OZ/c8o7h3mtigow7HXu0f+BUgLk=</wsse:Password>
  <wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM=</wsse:Nonce>
  <wsu:Created>2025-01-01T03:34:56Z</wsu:Created>
</wsse:UsernameToken>

Post-Authentication Remote Code Execution (WT-2025-0007)

After bypassing authentication, attackers can leverage the ProcessSynchronizationTaskData method in the Staging API to perform RCE. This method deserializes StagingTaskData using SoapFormatter, which is hardened but still powerful enough for exploitation.

The vulnerability lies in the ability to create or update objects within Kentico, notably media files. By manipulating the TaskData XML payload, an attacker can exploit a path traversal vulnerability to write files to arbitrary locations.

Specifically, by setting the FilePath in Media_File to a path outside the intended media library, such as ../../../../../../../../inetpub/wwwroot/Kentico13/CMS/CMSPages/, attackers can upload executable files to achieve RCE.

<Media_File>
  <FileID>1</FileID>
  <FileName>webshell.aspx</FileName>
  <FileExtension>.aspx</FileExtension>
  <FilePath>../../../../../../../../inetpub/wwwroot/Kentico13/CMS/CMSPages/</FilePath>
  <FileSize>20</FileSize>
  <FileGUID>993e29f9-086b-4110-872f-5cff26968a7b</FileGUID>
</Media_File>

Additional Authentication Bypass (WT-2025-0011)

Another Authentication Bypass vulnerability was discovered in WSE3’s VerifyPassword method.

When the Password Option is SendNone, no password validation is performed, allowing authentication bypass simply by providing a valid username without a password.

This exploit required providing a valid username for versions between 13.0.173 and 13.0.177, but potentially vulnerable to brute-forcing common usernames like “admin.”

Kentico addressed the first Authentication Bypass (WT-2025-0006) in version 13.0.173 by modifying the AuthenticateToken method to throw an exception on invalid usernames.

However, the Post-Auth RCE vulnerability remained unpatched until version 13.0.178.

Affected Product Table

Vulnerability IDVulnerability TypeDescriptionAffected VersionsCVE
WT-2025-0006Authentication BypassAllows authentication bypass by manipulating WS-Security tokens.Prior to Kentico Xperience 13.0.173None
WT-2025-0007Post-Authentication RCEEnables remote code execution after initial authentication bypass.Prior to 13.0.178 (for full patch)None
WT-2025-0011Authentication BypassAdditional bypass vulnerability resolved in 13.0.178.Prior to 13.0.178None

Recommendations:

  • Update Kentico Xperience CMS to the latest version to ensure you have the necessary patches.
  • Disable the Staging Service if not needed, or switch to X.509 authentication.
  • Monitor CMS configurations for unexpected changes or suspicious activity.

Detection scripts for these vulnerabilities are available on GitHub to help security teams verify if their instances are vulnerable.

The vulnerabilities identified in Kentico Xperience CMS underscore the importance of continuous security monitoring and updates.

By chaining these vulnerabilities, attackers can achieve full control over affected systems, highlighting the need for proactive security measures and vendor engagement.

The rapid response from Kentico demonstrates the value of responsible disclosure and patching in mitigating such threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

7 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

8 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

8 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

10 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

10 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

10 hours ago