Vulnerability Description
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kentico | Xperience | <= 13.0.178 |
Related Weaknesses (CWE)
References
- https://devnet.kentico.com/download/hotfixesPatch
- https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011Third Party Advisory
- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rcExploitThird Party Advisory
- https://www.vulncheck.com/advisories/kentico-xperience-staging-sync-server-none-Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-US Government Resource
FAQ
What is CVE-2025-2747?
CVE-2025-2747 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass...
How severe is CVE-2025-2747?
CVE-2025-2747 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-2747?
Check the references section above for vendor advisories and patch information. Affected products include: Kentico Xperience.