Kentico Xperience CMS Vulnerability Enables Remote Code Execution

In recent security research, vulnerabilities in the Kentico Xperience CMS have come to light, highlighting significant risks for users who rely on this Content Management System (CMS).

Specifically, two primary issues were identified: an Authentication Bypass vulnerability and a Post-Authentication Remote Code Execution (RCE) vulnerability.

These vulnerabilities, collectively forming a powerful exploit chain, allow attackers to gain full control over the CMS.

Kentico Xperience is a popular enterprise-level CMS written in C#, widely used by large businesses. Despite its widespread adoption, the CMS had a surprisingly low number of critical vulnerabilities reported before this discovery.

This lack of reported vulnerabilities by WatchTowr Labs, coupled with the valuable data it manages, makes Kentico an attractive target for attackers.

Authentication Bypass Vulnerability (WT-2025-0006)

The first vulnerability, WT-2025-0006, was an Authentication Bypass affecting versions before Kentico Xperience 13.0.173.

This vulnerability exploits the Staging Service API, which is not enabled by default but is common in configurations where users opt for username/password authentication instead of X.509-based authentication.

To exploit this vulnerability, attackers target the CMS.Synchronization.WSE3.SyncServer service, which uses WS-Security to secure SOAP requests.

Specifically, the Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager class is involved in verifying password tokens.

However, when an invalid username is provided, the authentication process returns an empty string instead of throwing an exception.

Although directly sending an empty password is blocked by validation checks, attackers can bypass authentication by using a hashed password verification mechanism (PasswordDigest).

By manipulating the Nonce and Timestamp, an attacker can craft a valid authentication token, exploiting the fact that an empty password (when hashed) can be used.

<wsse:UsernameToken>
  <wsse:Username>watchTowr</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OZ/c8o7h3mtigow7HXu0f+BUgLk=</wsse:Password>
  <wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM=</wsse:Nonce>
  <wsu:Created>2025-01-01T03:34:56Z</wsu:Created>
</wsse:UsernameToken>

Post-Authentication Remote Code Execution (WT-2025-0007)

After bypassing authentication, attackers can leverage the ProcessSynchronizationTaskData method in the Staging API to perform RCE. This method deserializes StagingTaskData using SoapFormatter, which is hardened but still powerful enough for exploitation.

The vulnerability lies in the ability to create or update objects within Kentico, notably media files. By manipulating the TaskData XML payload, an attacker can exploit a path traversal vulnerability to write files to arbitrary locations.

Specifically, by setting the FilePath in Media_File to a path outside the intended media library, such as ../../../../../../../../inetpub/wwwroot/Kentico13/CMS/CMSPages/, attackers can upload executable files to achieve RCE.

<Media_File>
  <FileID>1</FileID>
  <FileName>webshell.aspx</FileName>
  <FileExtension>.aspx</FileExtension>
  <FilePath>../../../../../../../../inetpub/wwwroot/Kentico13/CMS/CMSPages/</FilePath>
  <FileSize>20</FileSize>
  <FileGUID>993e29f9-086b-4110-872f-5cff26968a7b</FileGUID>
</Media_File>

Additional Authentication Bypass (WT-2025-0011)

Another Authentication Bypass vulnerability was discovered in WSE3’s VerifyPassword method.

When the Password Option is SendNone, no password validation is performed, allowing authentication bypass simply by providing a valid username without a password.

This exploit required providing a valid username for versions between 13.0.173 and 13.0.177, but potentially vulnerable to brute-forcing common usernames like “admin.”

Kentico addressed the first Authentication Bypass (WT-2025-0006) in version 13.0.173 by modifying the AuthenticateToken method to throw an exception on invalid usernames.

However, the Post-Auth RCE vulnerability remained unpatched until version 13.0.178.

Affected Product Table

Vulnerability ID	Vulnerability Type	Description	Affected Versions	CVE
WT-2025-0006	Authentication Bypass	Allows authentication bypass by manipulating WS-Security tokens.	Prior to Kentico Xperience 13.0.173	None
WT-2025-0007	Post-Authentication RCE	Enables remote code execution after initial authentication bypass.	Prior to 13.0.178 (for full patch)	None
WT-2025-0011	Authentication Bypass	Additional bypass vulnerability resolved in 13.0.178.	Prior to 13.0.178	None

Recommendations:

• Update Kentico Xperience CMS to the latest version to ensure you have the necessary patches.
• Disable the Staging Service if not needed, or switch to X.509 authentication.
• Monitor CMS configurations for unexpected changes or suspicious activity.

Detection scripts for these vulnerabilities are available on GitHub to help security teams verify if their instances are vulnerable.

The vulnerabilities identified in Kentico Xperience CMS underscore the importance of continuous security monitoring and updates.

By chaining these vulnerabilities, attackers can achieve full control over affected systems, highlighting the need for proactive security measures and vendor engagement.

The rapid response from Kentico demonstrates the value of responsible disclosure and patching in mitigating such threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.