Kentico Xperience Staging Service Authentication Bypass Vulnerabilities (CVE-2025-2746 & CVE-2025-2747)

Description

Two critical security flaws, CVE-2025-2746 and CVE-2025-2747, have been discovered in Kentico Xperience 13, a digital experience platform. These vulnerabilities allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially gaining administrative control over the CMS. Both issues have a CVSS score of 9.8, indicating their severity. The vulnerabilities affect Kentico Xperience through version 13.0.178 when the Staging Service is enabled and configured to use username/password authentication. Exploitation can lead to unauthorized administrative access, remote code execution, data breaches, and system disruption. Mitigation steps include patching, disabling or restricting the Staging Service, using certificate-based authentication, and implementing enhanced monitoring and hardening measures.