An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.
The vulnerability (CWE-288) consists of improper handling of empty SHA1 usernames during the digest authentication process in the Staging Sync Server component. An attacker without any permissions can send a crafted request with an empty username, which will be incorrectly accepted by the password verification mechanism. As a result, the server bypasses proper identity verification and grants access to protected administrative resources.
Successful exploitation of the vulnerability allows an unauthenticated attacker to remotely take control of Kentico Xperience administrative objects, which may lead to complete compromise of confidentiality, integrity, and availability of the CMS system.
The hotfix available from the vendor at https://devnet.kentico.com/download/hotfixes should be applied immediately, updating the system above version 13.0.172. Due to confirmed active exploitation and inclusion in the CISA KEV catalog, patch deployment should be treated as a priority.
Kentico Xperience in versions up to and including 13.0.172.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HKentico Xperience
APPKentico≤ 13.0.172
CISA KEV — detailsi
- Vendori
- Kentico
- Producti
- Xperience CMS
- Added to KEVi
- October 20, 2025
- Remediation deadline (US Federal)i
- November 10, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.
Related vulnerabilities
Kentico Xperience — Authentication Bypass w komponencie Staging Sync Server
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9....
Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medial...
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator acces...
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to ...