CVE-2025-2749

📊 7.2 HIGH⚡ 0.8%🎯 0 exploits

📅 Published Mar 24, 2025

📋 Status: Analyzed

An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.

CVSS v3.1 • [email protected]

🎯 Affected Products & Systems

1 product configurations affected

Filter by type:

Type	Vendor	Product	Version Range	Status	CPE String
📱App	kentico	xperience	≤ 13.0.178	Vulnerable	cpe:2.3:a:kentico:xperience::::::::

📱

kentico / xperience

Application

Vulnerable

Version: ≤ 13.0.178

CPE:

cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*

Metrics

7.2 HIGHCVSS v3.1[email protected]

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector:

NETWORK

Complexity:

LOW

Privileges:

HIGH

User Interaction:

NONE

Confidentiality:

HIGH

Integrity:

HIGH

Availability:

HIGH

Scope:

UNCHANGED

🔍 Technical Details

Analysis Status

Analyzed

CVSS Details

7.2 (HIGH)v3.1

Source: [email protected]

EPSS Details

0.8% (Minimal)72.8th percentile

Last updated: Oct 30, 2025

Exploitation probability within 30 days

Published Date

Mar 24, 2025 (7 months ago)

Last Modified

Oct 17, 2025 (15 days ago)

Security Weaknesses2

CWE-22CWE-434

References2

NVDpatch