Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely

Researchers discovered critical vulnerabilities in Kentico’s Xperience CMS that could allow attackers to completely compromise affected systems.  The vulnerabilities, identified as WT-2025-0006, WT-2025-0007, and WT-2025-0011, can be chained together to achieve unauthenticated remote code execution on systems with common configurations. Researchers at watchTowr Labs identified two distinct authentication bypass vulnerabilities and one post-authentication remote code […] The post Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.

Mar 18, 2025 - 09:56
 0
Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely

Researchers discovered critical vulnerabilities in Kentico’s Xperience CMS that could allow attackers to completely compromise affected systems. 

The vulnerabilities, identified as WT-2025-0006, WT-2025-0007, and WT-2025-0011, can be chained together to achieve unauthenticated remote code execution on systems with common configurations.

Researchers at watchTowr Labs identified two distinct authentication bypass vulnerabilities and one post-authentication remote code execution flaw. 

These issues affect Kentico Xperience version 13 installations with the Staging Service enabled and configured to use username/password authentication rather than X.509 certificates.

Kentico Xperience CMS Authentication Bypass Vulnerability 

The first authentication bypass (WT-2025-0006) exploits a logical flaw in how the CMS handles authentication in its Staging Service API

By manipulating SOAP requests to use password digest authentication with a specially crafted username token, attackers can gain administrative access without valid credentials.

A simplified example of the exploit involves sending a SOAP request with:

The second authentication bypass (WT-2025-0011) is even more concerning, requiring only a username with no password at all:

Once authenticated, attackers can exploit the post-authentication RCE vulnerability (WT-2025-0007) by abusing a path traversal flaw in the media file upload functionality.

This allows writing files to arbitrary locations on the server’s filesystem.

The vulnerabilities stem from multiple issues:

The first bypass occurs because when an invalid username is provided, the system returns an empty string instead of throwing an exception.

Combined with hash-based password verification, this creates an authentication bypass.

The second bypass exploits a logical flaw in Microsoft’s obsolete Web Services Enhancement 3.0 library, where the system fails to validate tokens with the “SendNone” password option.

The RCE vulnerability exists because the CheckAndEnsureFilePath method fails to properly validate file paths, allowing attackers to write files outside intended directories.

According to watchTowr Labs Report, these vulnerabilities “can be trivially chained for RCE” and give attackers “full control over the CMS.” 

Kentico addressed these issues in several updates:

  • WT-2025-0006 was patched in Kentico Xperience 13.0.173
  • WT-2025-0011 and WT-2025-0007 were patched in Kentico Xperience 13.0.178

Security teams can verify if their systems are vulnerable using detection tools published by watchTowr on GitHub. 

The researchers also warn against using Microsoft’s Web Services Enhancement 3.0 library, stating: “Please, do not use the obsolete Microsoft Web Services Enhancement 3.0 for anything – you’ll get rekt.”

Organizations are strongly advised to upgrade to the latest version immediately, especially if using username/password authentication for the Staging Service.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.