ACCORDING to CISA, the Known Exploited Vulnerabilities (KEV) Catalog lists Kentico Xperience CVE-2025-2749, a Kentico Xperience path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations. Date Added is 20 April 2026, with a due date of 4 May 2026. Known To Be Used in Ransomware Campaigns? Unknown.
The entry advises applying mitigations per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable. Additional notes reference download links for hotfixes and the NIST CVE page for CVE-2025-2749.