Login Sign Up

CVE-2025-32370

7.2 HIGH
Remote Code Execution Authentication Bypass

📋 TL;DR

Kentico Xperience CMS versions before 13.0.178 allow unauthenticated attackers to bypass file extension restrictions by uploading .zip files that get processed by TryZipProviderSafe, enabling them to create files with arbitrary extensions. This vulnerability affects all Kentico Xperience installations with the vulnerable version exposed to untrusted users. Attackers can potentially achieve remote code execution by uploading malicious files.

💻 Affected Systems

Products:
  • Kentico Xperience CMS
Versions: All versions before 13.0.178
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects installations with ContentUploader functionality enabled and accessible to unauthenticated users.

📦 What is this software?

Xperience by Kentico

View all CVEs affecting Xperience →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

File upload leading to web shell deployment, allowing attackers to execute arbitrary commands on the server.

🟢

If Mitigated

Limited impact with proper file validation and restricted upload permissions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public technical analysis available showing exploitation path from file upload to RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.0.178 or later

Vendor Advisory: https://devnet.kentico.com/download/hotfixes

Restart Required: Yes

Instructions:

1. Download hotfix from Kentico DevNet. 2. Apply patch to affected Kentico Xperience installation. 3. Restart application/services. 4. Verify version is 13.0.178 or higher.

🔧 Temporary Workarounds

Disable unauthenticated file uploads

all

Restrict ContentUploader functionality to authenticated users only.

Block .zip uploads

all

Configure web application firewall or server rules to block .zip file uploads to vulnerable endpoints.

🧯 If You Can't Patch

  • Implement strict file upload validation rejecting all .zip files.
  • Isolate Kentico instance behind reverse proxy with strict content filtering.

🔍 How to Verify

Check if Vulnerable:

Check Kentico Xperience version in administration panel or web.config file.

Check Version:

Check Administration -> System -> About in Kentico interface

Verify Fix Applied:

Confirm version is 13.0.178 or higher and test file upload functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual .zip file uploads from unauthenticated sources
  • Files with unexpected extensions being created

Network Indicators:

  • POST requests with .zip files to upload endpoints
  • Subsequent requests to newly created files

SIEM Query:

source="web_server" AND (uri_path="*upload*" AND file_extension="zip")

📊 Metadata

CVE ID: CVE-2025-32370
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
CWE: CWE-912
EPSS Score: 0.34% exploit probability (55.9th percentile)
Published: April 6, 2025
Last Updated: April 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32370, you might also want to check these:

CVE-2024-39754 10.0

A critical static login vulnerability in Wavlink AC3000 routers allows unauthenticated remote attack...

Same vulnerability type (CWE-912)
CVE-2020-12504 9.8

This CVE describes an improper authorization vulnerability in Pepperl+Fuchs Comtrol RocketLinx indus...

Same vulnerability type (CWE-912)
CVE-2024-45697 9.8

This vulnerability affects certain D-Link wireless routers where the telnet service is automatically...

Same vulnerability type (CWE-912)