An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.
The Staging Sync Server component in Kentico Xperience improperly handles password verification for servers configured with the 'None' authentication type. An attacker can exploit this vulnerability (CWE-288 — Authentication Bypass Using an Alternate Path or Channel) without any privileges, remotely and without user interaction. As a result, the authentication mechanism is completely bypassed, giving the attacker access to the administrative interface. According to available references, the vulnerability may be part of a chain leading to remote code execution (RCE).
An attacker gains unauthorized control over CMS administrative objects, which can lead to complete system takeover, content modification, data theft, and potential code execution on the server (RCE).
The hotfix available from the manufacturer at https://devnet.kentico.com/download/hotfixes must be applied immediately. It is recommended to update to a version higher than 13.0.178. Until the patch is deployed, consider restricting network access to the Staging Sync Server component at the firewall level.
Kentico Xperience in versions up to and including 13.0.178.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HKentico Xperience
APPKentico≤ 13.0.178
CISA KEV — detailsi
- Vendori
- Kentico
- Producti
- Xperience CMS
- Added to KEVi
- October 20, 2025
- Remediation deadline (US Federal)i
- November 10, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.
Related vulnerabilities
Kentico Xperience – pominięcie uwierzytelnienia w Staging Sync Server
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9....
Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medial...
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator acces...
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to ...