CVE-2025-2746
Published Mar 24, 2025
Last updated a month ago
- Description
- An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.
- Source
- disclosure@vulncheck.com
- NVD status
- Analyzed
- Products
- xperience
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
- Exploit added on
- Oct 20, 2025
- Exploit action due
- Nov 10, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- disclosure@vulncheck.com
- CWE-288
- Hype score
- Not currently trending
Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-2746 #Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability https://t.co/yWItPuOdmW
@ScyScan
20 Oct 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA just added five known exploited vulnerabilities to their catalog: ▪ CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability ▪ CVE-2025-2746 Kentico Xperience Staging Sync Server Digest Password Authentication Bypass Vulnerability ▪ CVE-2025-2747 Kentic
@IntCyberDigest
20 Oct 2025
4098 Impressions
7 Retweets
31 Likes
7 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-2746
@transilienceai
2 Apr 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🔴New attack report🔴 ➡️ Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747) #cybersecurity #attackreport #iocs #securitricks #threats https://t.co/GbSbvZdBEQ
@SecuriTricks
26 Mar 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-2746 ⚠️🔴 CRITICAL (9.8) 🏢 Kentico - Xperience 🏗️ 0 🔗 https://t.co/6SellumW1y 🔗 https://t.co/FWBcbtoLpv 🔗 https://t.co/py61mkjQS9 #CyberCron #VulnAlert #InfoSec https://t.co/GV2aKH9fku
@cybercronai
26 Mar 2025
20 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
Warning: 2 critical, 1 high improper authentication in @Kentico #Xperience CVE-2025-2746, 2747, 2749 CVSS: 9.8-7.2. They can lead to privilege escalation and #RCE. @Kentico recommends updating to 13.0.173 & 13.0.178 or disable the Staging Service #Patch https://t.co/ZcYs7WNxa
@CCBalert
25 Mar 2025
283 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical auth bypass found in Kentico Xperience CMS (CVE-2025-2746, CVSS 9.8). Affects versions through 13.0.172 - allows attackers to bypass auth via staging service. Patch now or disable if unused. Details: https://t.co/uCyaWXtZwV #CVE-2025-2746
@RedTeamNewsBlog
24 Mar 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-2746: CRITICAL] Authentication bypass vulnerability in Kentico Xperience allows attackers to control admin objects via empty SHA1 usernames. Patch Xperience version 13.0.172 to stay secure. #cybersecurity,#vulnerability https://t.co/FBmxIlqbcg https://t.co/SF5buiyf2a
@CveFindCom
24 Mar 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5F120158-7BB3-4080-9DBD-2DEA83B05EB1",
"versionEndIncluding": "13.0.172"
}
],
"operator": "OR"
}
]
}
]