{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-2746","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-03-24T16:39:11.689Z","datePublished":"2025-03-24T18:16:04.022Z","dateUpdated":"2026-02-26T19:09:16.392Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Staging"],"product":"Xperience","vendor":"Kentico","versions":[{"lessThanOrEqual":"13.0.172","status":"affected","version":"0","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*","versionEndIncluding":"13.0.172","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Piotr Bazydlo (watchTowr)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.<p>This issue affects Xperience through 13.0.172.</p>"}],"value":"An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172."}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-288","description":"CWE-288 Authentication Bypass Using an Alternate Path or Channel","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-12-17T19:32:37.733Z"},"references":[{"tags":["technical-description","exploit"],"url":"https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/"},{"tags":["vendor-advisory","patch"],"url":"https://devnet.kentico.com/download/hotfixes"},{"tags":["exploit"],"url":"https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011"},{"tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/kentico-xperience-staging-sync-server-digest-password-authentication-bypass"}],"source":{"discovery":"UNKNOWN"},"title":"Kentico Xperience <= 13.0.172 Staging Sync Server Digest Password Authentication Bypass","x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-2746","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-10-21T03:55:13.097447Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2025-10-20","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2746"}}}],"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2746","tags":["government-resource"]}],"timeline":[{"time":"2025-10-20T00:00:00.000Z","lang":"en","value":"CVE-2025-2746 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T19:09:16.392Z"}}]}}