CVE-2025-2746

📊 9.8 CRITICAL⚡ 66.5%🎯 0 exploits🏛️ KEV Listed

📅 Published Mar 24, 2025

📋 Status: Analyzed

An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.172.

CVSS v3.1 • [email protected]

🎯 Affected Products & Systems

1 product configurations affected

Filter by type:

Type	Vendor	Product	Version Range	Status	CPE String
📱App	kentico	xperience	≤ 13.0.172	Vulnerable	cpe:2.3:a:kentico:xperience::::::::

📱

kentico / xperience

Application

Vulnerable

Version: ≤ 13.0.172

CPE:

cpe:2.3:a:kentico:xperience:*:*:*:*:*:*:*:*

Metrics

9.8 CRITICALCVSS v3.1[email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector:

NETWORK

Complexity:

LOW

Privileges:

NONE

User Interaction:

NONE

Confidentiality:

HIGH

Integrity:

HIGH

Availability:

HIGH

Scope:

UNCHANGED

🔍 Technical Details

Analysis Status

Analyzed

CVSS Details

9.8 (CRITICAL)v3.1

Source: [email protected]

EPSS Details

66.5% (High)98.5th percentile

Last updated: Oct 29, 2025

Exploitation probability within 30 days

Published Date

Mar 24, 2025 (7 months ago)

Last Modified

Oct 27, 2025 (4 days ago)

Security Weaknesses1

CWE-288

References4

NVDpatchadvisory+1