CVE-2025-2749: Kentico Xperience Path Traversal Under Active Exploit

Executive Summary

CISA added CVE-2025-2749, a path traversal vulnerability in Kentico Xperience, to its Known Exploited Vulnerabilities (KEV) catalog on April 20, 2026, confirming active exploitation in the wild. The flaw allows an authenticated user's Staging Sync Server to upload arbitrary data to path-relative locations, effectively enabling file write operations outside intended directories. U.S. federal agencies are required to apply mitigations per vendor instructions or discontinue use of the product by May 4, 2026, per Binding Operational Directive (BOD) 22-01. The CVSS score has not been publicly assigned by NVD as of this writing, but the KEV inclusion and mandated two-week remediation window indicate a severity warranting immediate attention.

Technical Analysis

CVE-2025-2749 resides in the Staging Sync Server component of Kentico Xperience, a .NET-based content management system (CMS) widely used by enterprises and government organizations. According to CISA's advisory, the vulnerability is a path traversal flaw that permits an authenticated attacker — specifically one with access to the staging synchronization mechanism — to upload arbitrary files to locations outside the intended staging directory. The Staging Sync Server is designed to replicate content changes between environments (e.g., development to production); the flaw subverts path validation during file transfer operations.

The vulnerability requires authentication to the staging sync functionality, which limits the attack surface to users with legitimate staging credentials or those who have compromised such accounts. However, once exploited, an attacker can write arbitrary files — including web shells, modified configuration files, or malicious binaries — to arbitrary locations on the server file system. This can lead to remote code execution, privilege escalation, or persistent backdoor access, depending on the write target and server configuration.

Kentico Xperience has not publicly released a patch or detailed advisory as of May 17, 2026. CISA's KEV entry directs organizations to "apply mitigations per vendor instructions," but the vendor's specific guidance remains unclear. The absence of a patch is notable given the confirmed active exploitation; organizations relying on Kentico Xperience should treat the vulnerability as a high-priority risk and implement compensating controls immediately.

Mitigations & Recommendations

Given the lack of a vendor-supplied patch, defenders should prioritize the following compensating controls:

• Restrict network access to the Staging Sync Server to only trusted IP ranges or internal networks. If the staging service is exposed to the internet, block inbound access immediately.
• Audit and rotate all staging synchronization credentials. Ensure that accounts with staging privileges follow least-privilege principles and are not shared across environments.
• Enable detailed logging on the Staging Sync Server and monitor for anomalous file write operations, especially to directories outside the expected staging path (e.g., wwwroot, bin, App_Code).
• Deploy web application firewall (WAF) rules to detect and block path traversal patterns in staging sync requests, such as ../ sequences or encoded variants.
• If the product cannot be adequately isolated or monitored, consider discontinuing use of the staging sync functionality or the product entirely, as CISA's BOD 22-01 guidance permits for cloud services.

Federal agencies subject to BOD 22-01 must comply by May 4, 2026. Non-federal organizations should treat this as a critical remediation timeline given active exploitation.