CVE-2025-2746

What is Kentico Xperience CMS?

Kentico Xperience is a .NET-based enterprise content management system developed by Kentico Software (Czech Republic), used by organizations to manage websites, e-commerce, and digital marketing campaigns. The Staging Service within Xperience enables content synchronization between development, staging, and production environments via SOAP web services — a common enterprise CMS architecture that allows content editors to promote content through a workflow pipeline.

Overview

CVE-2025-2746 is an authentication bypass (CWE-288) in the Kentico Xperience CMS Staging Sync Server SOAP endpoint. A flaw in the WS-Security PasswordDigest authentication handler allows an attacker to authenticate as any user — including administrators — by supplying a non-existent username with a computed digest for an empty password. When chained with CVE-2025-2747 (alternate WSE 3.0 bypass) and CVE-2025-2749 (post-auth file upload RCE), the result is unauthenticated remote code execution on the CMS server. WatchTowr Labs published the research chain titled "Bypassing Authentication Like It's The '90s."

Affected Versions

X.509 certificate-based Staging Service authentication is not affected.

Technical Details

The vulnerability is in the WS-Security PasswordDigest authentication handler of the Staging Sync Server at /Staging/SyncServer.asmx. When processing a SOAP authentication block, the handler looks up the stored password hash for the supplied Username. If the username does not exist in the database, the handler returns an empty string rather than rejecting the request. An attacker pre-computes the valid WS-Security PasswordDigest value using an empty password — deterministic for any given nonce and timestamp — and the digest check passes, granting an authenticated session.

Full pre-auth RCE chain:

1. CVE-2025-2746 (this CVE): Authenticate to /Staging/SyncServer.asmx using a non-existent username and empty-password digest
2. CVE-2025-2747: Alternate bypass via WSE 3.0 library "no-password" SOAP flaw (if 2746 is patched independently)
3. CVE-2025-2749: Upload a malicious ASPX webshell via the now-authenticated Staging Service → Remote Code Execution

Key characteristics:

• No prior credentials or access required
• Target: the Staging Service endpoint, common in enterprise multi-environment deployments
• Empty-password digest is fully pre-computable by the attacker given the SOAP nonce and timestamp

Discovery

WatchTowr Labs researchers identified the two-bypass chain and full RCE pathway, publishing research in March 2025.

Exploitation Context

CISA added CVE-2025-2746 alongside CVE-2025-2747 to the KEV catalog on October 20, 2025, confirming active exploitation in the wild. The gap between the March 2025 patch and the October 2025 KEV listing suggests targeted exploitation of unpatched instances over an extended period. Public PoC code for the full chain was available following WatchTowr's research publication.

Remediation

1. Apply hotfix 13.0.173 to address CVE-2025-2746; upgrade to 13.0.179+ to address all related chain CVEs in one update.
2. Switch Staging Service authentication to X.509 certificates — certificate-based auth is unaffected by either bypass.
3. Restrict /Staging/SyncServer.asmx at the network perimeter — it should only be reachable from known staging servers, never from the internet.
4. Audit Staging Service authentication logs for requests using non-existent usernames, especially between March and October 2025.
5. Apply the fix for CVE-2025-2749 simultaneously to close the file upload payload delivery mechanism.