Kentico CMS Deserialization RCE
Description
Kentico CMS is an ASP.NET-based web content management system that contains a critical deserialization vulnerability in its API. The application accepts user-supplied serialized data and deserializes it using .NET's BinaryFormatter without proper validation. This unsafe deserialization practice allows attackers to instantiate arbitrary objects and execute malicious code by crafting specially designed serialized payloads.
Remediation
Immediately upgrade Kentico CMS to the latest patched version that addresses CVE-2019-10068. Refer to the official Kentico hotfixes page for version-specific security updates.
If immediate patching is not possible, implement the following interim mitigations:
1. Restrict network access to the Kentico CMS administrative interfaces using firewall rules or IP whitelisting
2. Monitor application logs for suspicious deserialization attempts or unexpected DNS queries
3. Review and harden application pool permissions to follow the principle of least privilege
Long-term remediation should include replacing insecure deserialization methods with safe alternatives such as JSON serialization with strict type validation, or implementing deserialization binders that restrict allowed types to a known safe list.