CVE-2025-2749: Kentico Xperience Path Traversal Vulnerability
Summary
A path traversal vulnerability has been identified in Kentico Xperience, allowing authenticated users to upload arbitrary data to specific locations via the Staging Sync Server. This flaw requires urgent mitigation by applying vendor instructions or discontinuing product use if patches are unavailable.
IFF Assessment
The vulnerability allows for unauthorized data uploads, posing a direct threat to system integrity and potentially enabling further compromise.
Severity
The vulnerability allows for arbitrary file upload, which can lead to code execution or data manipulation, impacting Confidentiality, Integrity, and Availability. The exploitability is likely moderate due to requiring authentication, but the impact is high.
CISA KEV: Listed as actively exploited. Federal patch due: May 04, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability presents a significant risk for organizations using Kentico Xperience, as it can be exploited by authenticated users to upload malicious files. Defenders should prioritize applying vendor-provided patches or implementing compensating controls to prevent unauthorized data uploads and potential system compromise.