CVE-2025-2746

Name of the Vulnerable Software and Affected Versions Kentico Xperience versions through 13.0.172

Description An authentication bypass issue exists in Kentico Xperience. This flaw is due to improper handling of empty SHA1 usernames in digest authentication within the Staging Sync Server password management. Successful exploitation allows an attacker to bypass authentication and gain control of administrative objects. This issue is actively exploited in the wild. The vulnerability affects the Staging Sync Server and involves the handling of authentication requests. The username parameter in the authentication process is vulnerable.

Recommendations Update Kentico Xperience to version 13.0.173 or 13.0.178. If updating is not immediately possible, disable the Staging Service to mitigate the risk.