Kentico Staging API Authentication Bypass
Description
Kentico is an ASP.NET-based web content management system that uses a Staging API to synchronize data between production and development environments.
A critical authentication bypass vulnerability exists in the Kentico Staging API that allows unauthenticated remote attackers to bypass authentication controls and access privileged API functionality. This vulnerability can be exploited without any user interaction or prior authentication, enabling attackers to execute unauthorized operations that may lead to complete server compromise.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediately apply security patches: Download and install the latest hotfixes from the official Kentico hotfix repository at https://devnet.kentico.com/download/hotfixes
2. Verify affected versions: Identify if your Kentico installation is vulnerable by checking your version against the CVE advisories for CVE-2025-2747 and CVE-2025-2746
3. Implement network-level controls: Until patches can be applied, restrict access to the Staging API endpoints using firewall rules or web application firewall (WAF) policies to allow only trusted IP addresses
4. Review access logs: Examine server and application logs for any suspicious access attempts to the Staging API, particularly from unexpected IP addresses or during unusual time periods
5. Validate patch deployment: After applying updates, verify that the authentication bypass vulnerability has been resolved by testing authentication controls on the Staging API
6. Monitor for exploitation: Implement continuous monitoring for unauthorized API access attempts and unusual staging synchronization activities