Researchers discovered critical vulnerabilities in Kentico\u2019s Xperience CMS<\/a> that could allow attackers to completely compromise affected systems.\u00a0<\/p>\n The vulnerabilities, identified as WT-2025-0006, WT-2025-0007, and WT-2025-0011, can be chained together to achieve unauthenticated remote code execution on systems with common configurations.<\/p>\n Researchers at watchTowr Labs identified two distinct authentication bypass vulnerabilities and one post-authentication remote code execution flaw.\u00a0<\/p>\n These issues affect Kentico Xperience version 13 installations with the Staging Service enabled and configured to use username\/password authentication rather than X.509 certificates.<\/p>\n The first authentication bypass (WT-2025-0006) exploits a logical flaw in how the CMS handles authentication in its Staging Service API<\/a>.\u00a0<\/p>\n By manipulating SOAP requests to use password digest authentication with a specially crafted username token, attackers can gain administrative access without valid credentials.<\/p>\n A simplified example of the exploit involves sending a SOAP request with:<\/p>\n The second authentication bypass (WT-2025-0011) is even more concerning, requiring only a username with no password at all:<\/p>\n Once authenticated, attackers can exploit the post-authentication RCE vulnerability<\/a> (WT-2025-0007) by abusing a path traversal flaw in the media file upload functionality. <\/p>\n This allows writing files to arbitrary locations on the server\u2019s filesystem.<\/p>\n The vulnerabilities stem from multiple issues:<\/p>\n The first bypass occurs because when an invalid username is provided, the system returns an empty string instead of throwing an exception. <\/p>\n Combined with hash-based password verification<\/a>, this creates an authentication bypass.<\/p>\n The second bypass exploits a logical flaw in Microsoft\u2019s obsolete Web Services Enhancement 3.0 library, where the system fails to validate tokens with the \u201cSendNone\u201d password option.<\/p>\n The RCE vulnerability exists because the CheckAndEnsureFilePath method fails to properly validate file paths, allowing attackers to write files outside intended directories.<\/p>\n According to watchTowr Labs Report<\/a>, these vulnerabilities \u201ccan be trivially chained for RCE\u201d and give attackers \u201cfull control over the CMS.\u201d\u00a0<\/p>\n Kentico addressed these issues in several updates:<\/p>\n Security teams can verify if their systems are vulnerable using detection tools published by watchTowr on GitHub.\u00a0<\/p>\n The researchers also warn against using Microsoft\u2019s Web Services Enhancement 3.0 library, stating: \u201cPlease, do not use the obsolete Microsoft<\/a> Web Services Enhancement 3.0 for anything \u2013 you\u2019ll get rekt.\u201d<\/p>\n Organizations are strongly advised to upgrade to the latest version immediately, especially if using username\/password authentication for the Staging Service.<\/p>\n The post Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKentico Xperience CMS Authentication Bypass Vulnerability\u00a0<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdZs-Fid8aLgQjfztbtE8tK-3DeLl8A5v4gfksqKxltS6AZS4gnYskH7V2UePla9pDIWhC7b9dwn3KB4AsYD0k7ZCDUBG_h06bb3XZVGYKTZckHCoReLbGE_azf1sTdFPqNru9ysg?key=srVij_oTEksdAmS1Ljk9DPoZ\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdQ4mSSrn645lRXHg8KOnIdocE63QPLl-7ea-YkKsi52K29DVIQRBPsbq45kQvtNqRhANT73WLCWr8lIl2vNTAKmujSdXXk3qDlFGap4yRFKAtd_a2SnxewT9cWpJtzv68du0Bhww?key=srVij_oTEksdAmS1Ljk9DPoZ\")
\n
Are you from SOC\/DFIR Teams? \u2013 Analyse Malware Incidents & get live Access with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/strong><\/p>\n