Vulnerability intelligence
CVE-2025-2749
Kentico Xperience Path Traversal Vulnerability
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code execution.This issue affects Kentico Xperience through 13.0.178.
CVSS Score
7.2
High
EPSS — Exploit Probability
4.8%
Riskier than 90% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
Patch available
Federal deadline 2026-05-04
CISA required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-05-04.
5 articles across 5 outlets · first covered Apr 21, 2026 · latest Apr 21, 2026
Associated threat actors
Coverage timeline
-
CISA Adds Cisco SD WAN, Zimbra XSS Flaws to KEV Catalogwww.securityweek.com · Apr 21, 2026
-
CISA adds weaponised PaperCut, TeamCity flaws to KEV catalogsecurityaffairs.com · Apr 21, 2026
-
CISA adds eight KEV flaws, Cisco SDWAN bugs actively exploitedthehackernews.com · Apr 21, 2026
-
CISA adds Kentico Xperience path traversal flaw to KEV catalogwww.cisa.gov · Apr 21, 2026
-
CISA Adds CVE-2025-2749 to Known Exploited Vulnerabilities Cataloguecisa.gov · Apr 21, 2026