Kentico Xperience Path Traversal Vulnerability
Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.
A remote attacker, with administrative privileges, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2026-05-04 under CISA BOD 22-01.
This is a Path Traversal (CWE-22) vulnerability in Kentico Kentico Xperience. An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178. Exploitation requires remote network access, low attack complexity, an administrative account, and no user interaction required.
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References