CVE-2025-2747

What is Kentico Xperience CMS?

Kentico Xperience is a .NET-based enterprise content management system used by organizations for website management, e-commerce, and digital marketing. The Staging Service allows content synchronization between development, staging, and production environments via SOAP web services using the obsolete Microsoft WSE 3.0 (Web Services Enhancements) library. See also the companion vulnerability CVE-2025-2746, which exploits a different code path in the same endpoint.

Overview

CVE-2025-2747 is the second of two authentication bypass vulnerabilities (CWE-288) in the Kentico Xperience CMS Staging Sync Server. Where CVE-2025-2746 exploits the PasswordDigest handler's empty-password logic, CVE-2025-2747 exploits a fundamental flaw in the obsolete WSE 3.0 SOAP security library: sending a SOAP request with a valid Username element but no password-related XML elements at all causes the WSE 3.0 library to treat the request as authenticated. Together, the two bypasses ensure that even partially patched deployments remain vulnerable. Combined with CVE-2025-2749 (file upload RCE), the chain achieves unauthenticated code execution.

Affected Versions

Technical Details

The vulnerability exploits the behavior of the Microsoft WSE 3.0 SOAP security processing library embedded in Kentico's Staging Service. WSE 3.0 is an end-of-life Microsoft extension library from the early 2000s that implements WS-Security. When a SOAP request arrives containing a <wsse:Security> block with a <wsse:UsernameToken> element that includes only a Username — with no Password, PasswordDigest, or Nonce elements — WSE 3.0 accepts the token as valid authentication due to a logic flaw in handling "None" or absent password types.

An attacker sends a SOAP authentication block with a real, valid username (obtainable from the CMS's publicly accessible pages or guessed from common defaults) but no password. WSE 3.0 approves it, granting the attacker an authenticated session as that user.

This is a distinct bypass path from CVE-2025-2746 — it targets a different code location and requires knowledge of a valid username rather than exploiting the empty-password calculation. Kentico required a separate hotfix (13.0.178) to address this path after 13.0.173 fixed only CVE-2025-2746.

Full pre-auth RCE chain (same as CVE-2025-2746 chain):

1. CVE-2025-2746 or CVE-2025-2747 (this CVE): Authenticate to /Staging/SyncServer.asmx without valid credentials
2. CVE-2025-2749: Upload a malicious ASPX webshell → Remote Code Execution

Discovery

WatchTowr Labs (same research as CVE-2025-2746) identified both bypass paths in the same investigation of the Kentico Staging Service endpoint.

Exploitation Context

CISA added CVE-2025-2747 simultaneously with CVE-2025-2746 to the KEV catalog on October 20, 2025. The two CVEs represent two independently exploitable paths to the same result — an attacker who finds one bypass path blocked (by partial patching of only 13.0.173) can fall back to the other. Both must be patched to secure the endpoint.

Remediation

1. Apply hotfix 13.0.178 specifically addressing CVE-2025-2747; recommend upgrading to 13.0.179+ to close all chain vulnerabilities in one step.
2. Do not patch only CVE-2025-2746 (13.0.173) — this leaves CVE-2025-2747 open and the full RCE chain remains exploitable.
3. Switch Staging Service authentication to X.509 certificates — the WSE 3.0 password-type bypass does not affect certificate-based auth.
4. Restrict the Staging Service endpoint (/Staging/SyncServer.asmx) to known staging server IP addresses at the network level.
5. Apply the fix for CVE-2025-2749 to close the file upload payload mechanism used in the RCE chain.