![Apple Music Experiencing Outage [Update: Fixed]](https://images.macrumors.com/t/cBpeJ95wekMRm8-YbPPJQhJrDsY=/1920x/article-new/2024/08/apple-music.jpg)
![New Apple M3 iPad Air On Sale for $50 Off [Deal]](https://www.iclarified.com/images/news/96759/96759/96759-640.jpg)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
![Excel/Spreadsheet Formula Help: Splitting and Reimbursing Shared Expenses [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely
Researchers discovered critical vulnerabilities in Kentico’s Xperience CMS that could allow attackers to completely compromise affected systems. The vulnerabilities, identified as WT-2025-0006, WT-2025-0007, and WT-2025-0011, can be chained together to achieve unauthenticated remote code execution on systems with common configurations. Researchers at watchTowr Labs identified two distinct authentication bypass vulnerabilities and one post-authentication remote code […] The post Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.
Researchers discovered critical vulnerabilities in Kentico’s Xperience CMS that could allow attackers to completely compromise affected systems.
The vulnerabilities, identified as WT-2025-0006, WT-2025-0007, and WT-2025-0011, can be chained together to achieve unauthenticated remote code execution on systems with common configurations.
Researchers at watchTowr Labs identified two distinct authentication bypass vulnerabilities and one post-authentication remote code execution flaw.
These issues affect Kentico Xperience version 13 installations with the Staging Service enabled and configured to use username/password authentication rather than X.509 certificates.
Kentico Xperience CMS Authentication Bypass Vulnerability
The first authentication bypass (WT-2025-0006) exploits a logical flaw in how the CMS handles authentication in its Staging Service API.
By manipulating SOAP requests to use password digest authentication with a specially crafted username token, attackers can gain administrative access without valid credentials.
A simplified example of the exploit involves sending a SOAP request with:
The second authentication bypass (WT-2025-0011) is even more concerning, requiring only a username with no password at all:
Once authenticated, attackers can exploit the post-authentication RCE vulnerability (WT-2025-0007) by abusing a path traversal flaw in the media file upload functionality.
This allows writing files to arbitrary locations on the server’s filesystem.
The vulnerabilities stem from multiple issues:
The first bypass occurs because when an invalid username is provided, the system returns an empty string instead of throwing an exception.
Combined with hash-based password verification, this creates an authentication bypass.
The second bypass exploits a logical flaw in Microsoft’s obsolete Web Services Enhancement 3.0 library, where the system fails to validate tokens with the “SendNone” password option.
The RCE vulnerability exists because the CheckAndEnsureFilePath method fails to properly validate file paths, allowing attackers to write files outside intended directories.
According to watchTowr Labs Report, these vulnerabilities “can be trivially chained for RCE” and give attackers “full control over the CMS.”
Kentico addressed these issues in several updates:
- WT-2025-0006 was patched in Kentico Xperience 13.0.173
- WT-2025-0011 and WT-2025-0007 were patched in Kentico Xperience 13.0.178
Security teams can verify if their systems are vulnerable using detection tools published by watchTowr on GitHub.
The researchers also warn against using Microsoft’s Web Services Enhancement 3.0 library, stating: “Please, do not use the obsolete Microsoft Web Services Enhancement 3.0 for anything – you’ll get rekt.”
Organizations are strongly advised to upgrade to the latest version immediately, especially if using username/password authentication for the Staging Service.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.
