XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748) - #CVE-2025-2748
A security research team uncovered a critical chain of vulnerabilities in Kentico Xperience 13, a popular Content Management System, potentially leading to Remote Code Execution (RCE). The exploit chain involved an unauthenticated resource fetching handler, an unauthenticated file upload handler, and an authenticated file upload function. By leveraging these vulnerabilities, attackers could potentially upload and execute malicious files, including webshells. Kentico responded promptly to the disclosure, patching the vulnerabilities in version 13.0.178. The CVE-2025-2748 timeline indicates a swift response, with the issue being discovered on February 10, 2025, and patched by March 6, 2025. This incident underscores the importance of ongoing security testing and rapid response to emerging threats in preventing potential breaches.