CVE-2025-2749

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Kentico Xperience versions prior to 13.0.179

Description An authenticated remote code execution issue allows authenticated users of the Staging Sync Server to upload arbitrary data to path relative locations. This leads to path traversal and arbitrary file upload, enabling the upload of content that can be executed on the server side, resulting in remote code execution. This issue has been actively exploited in real-world incidents.

Recommendations Update to a version newer than 13.0.178.

Exploit

Fix

RCE

Path traversal

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-434

Related Identifiers

CVE-2025-2749

Affected Products

Kentico Xperience

CVE-2025-2749

Weakness Enumeration

Related Identifiers

Affected Products

References · 17