Kentico Xperience CMS XSS Vulnerability Allows Remote Code Execution

Kentico Xperience CMS, a widely used platform designed for enterprises and organizations, is under scrutiny after a vulnerability chain was discovered that exploits Cross-Site Scripting (XSS) to enable Remote Code Execution (RCE).

This vulnerability was disclosed by researchers who demonstrated its potential harm through a detailed proof of concept.

CVE-2025-2748: Cross-Site Scripting Vulnerability

According to Watch Towr Labs’ report, Kentico’s resource-handling mechanism was pivotal in the discovered vulnerability chain.

The severity stems from two core issues: the unauthenticated fetching of resources via the CMS.UIControls.GetResourceHandler and the presence of an unauthenticated file upload functionality (MultiFileUploader.ashx).

Together, these vulnerabilities allowed attackers to execute advanced exploitation techniques.

Step-by-step Vulnerability Chain

Step 1: Unauthenticated Resource Fetching

The researchers identified a handler that performs unauthenticated retrieval of resources—such as images, files, and scripts. Initially perceived as low-impact, this feature proved significant due to its ability to process SVG files.

SVG files can contain embedded JavaScript and execute malicious code when read by a browser under specific conditions.

Step 2: File Upload Primitive

An unauthenticated file upload handler (CMS.DocumentEngine.Web.UI.ContentUploader) was discovered, enabling attackers to place temporary files within a predictable web-accessible directory.

Though constrained by a whitelist of file extensions, this handler’s functionality opened the door to further exploitation.

Step 3: Leveraging a Custom File Handler

Kentico’s custom file-handling mechanism includes ZIP-processing capabilities. This allows files within ZIP archives to be virtually unpacked and rendered.

The researchers created a malicious SVG file containing executable JavaScript, packaged it into a ZIP archive, and uploaded it using the file upload handler. By calling the uploaded ZIP file via the resource fetch handler, the SVG inside the archive was executed—triggering XSS.

Proof of Concept:

An attacker could upload poc.zip containing poc.svg and read it through the following endpoint:

http://hostname/CMSPages/GetResource.ashx?image=/App_Data/CMSTemp/MultiFileUploader/00/00000000-0000-0000-0000-000000000000/[poc.zip]/poc.svg

This results in JavaScript execution, causing an XSS alert.

Step 4: Post-authentication RCE

CMS platforms like Kentico Xperience often grant privileged users functionalities that include uploading files.

Researchers demonstrated how authenticated users could extend the application’s file extension whitelist and upload ASPX files to the webroot directory for RCE.

By using an uploaded webshell, attackers can remotely execute arbitrary code. While this aspect of the vulnerability requires authentication, it highlights risks associated with weak access controls and privilege misuse.

For a complete demonstration of the vulnerability chain and exploitation process, the researchers have published a video showcasing their findings.

In the proof of concept, malicious commands were executed on the host, demonstrating the full impact of the vulnerability chain.

The research team commended Kentico for its swift action and professionalism in addressing these vulnerabilities.

The company patched the issues promptly upon receiving their report, showcasing their commitment to customer security.

Mitigation Steps

Kentico administrators are advised to:

1. Immediately apply the latest security updates provided by Kentico.
2. Restrict unauthenticated access to vulnerable handlers (e.g., GetResource.ashx and MultiFileUploader.ashx).
3. Validate file uploads rigorously, especially for temporary and custom file handlers.
4. Enforce strong authentication and authorization mechanisms for privileged functionalities like file extension modifications.

While XSS vulnerabilities are often dismissed as minor, this case demonstrates how XSS can lead to critical RCE under the right conditions.

Organizations using Kentico Xperience CMS are urged to assess their systems for similar issues and adopt best practices to prevent exploitation.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free