ON 20 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2025‑2749 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Kentico Xperience, a digital experience platform from Kentico, and is titled the Kentico Xperience Path Traversal Vulnerability. It allows an authenticated user’s Staging Sync Server to upload arbitrary files to locations outside the intended directory via a path‑traversal condition.
The vulnerability is a server‑side path traversal issue that can be exploited over network access after authentication, enabling an attacker to write or overwrite files on the underlying host. This could lead to remote code execution, data alteration, or denial of service depending on the overwritten content. The NVD assigns a CVSS v3.1 base score of 7.2, rated High. Kentico has released a patch; the advisory and hotfixes are available from the vendor’s devnet site.
Because the entry appears in the KEV catalogue, CISA confirms that the vulnerability is being actively exploited in the wild. No public reports link this flaw to ransomware campaigns at this time. Federal Civilian Executive Branch (FCEB) agencies must apply the required mitigations by 4 May 2026, the remediation deadline set by CISA.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the directive binds FCEB agencies, all organisations are advised to inventory their Kentico Xperience deployments, verify patch levels, and implement the vendor’s hotfix or equivalent controls.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-2749 and the CISA KEV catalogue.