COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2025-2749

CVE-2025-2749

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-04-20
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-2749
⚡ RCE ⌖ exploited in the wild shame 45/100 rceexploited-in-wildsupply-chainunpatched

Kentico Xperience allows authenticated users to upload arbitrary files via path traversal, enabling data exfiltration or system compromise.

This path traversal flaw in Kentico Xperience's Staging Sync Server permits authenticated users to write files to arbitrary locations, creating a supply-chain risk for DIB vendors relying on Kentico CMS. While not an RCE, the ability to upload files to sensitive directories could facilitate privilege escalation or data exfiltration, requiring immediate patching and vendor assessment.

Shame score — A known path traversal vulnerability in a widely-used CMS product that allows authenticated users to upload arbitrary files, posing a moderate supply-chain risk.

Players implicated

Kentico · vendorKentico Xperience · product

Description

Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.