CVE-2025-2748 Scanner

Kentico Xperience CMS is a popular digital experience platform used by developers, marketers, and content creators to build and manage enterprise-level websites, online stores, and intranet portals. It is utilized by organizations globally across industries like education, healthcare, and finance for digital transformation. The platform offers customizable modules, integration with third-party systems, and powerful content management tools. Developers often integrate it with .NET environments to build dynamic and personalized websites. Businesses use Kentico Xperience for its scalability, extensive API support, and strong user and workflow management features. The application is widely deployed in both on-premise and cloud environments.

The vulnerability in question is a stored cross-site scripting (XSS) issue. It allows an attacker to upload a malicious SVG file through the multi-file upload feature without proper validation. Once stored, this file can execute JavaScript in the context of the victim’s browser when accessed. Since it requires no authentication to upload the file, any user or automated bot can exploit the issue. This can result in session hijacking, phishing attacks, or defacement. The flaw exists in versions through 13.0.178, making earlier deployments particularly vulnerable.

The vulnerability occurs in the endpoint `/CMSModules/Content/CMSPages/MultiFileUploader.ashx`. It accepts user-supplied files via a `POST` request, and the application fails to properly sanitize SVG content. The exploit involves sending a crafted ZIP file containing an `xss.svg` file with malicious JavaScript. Once uploaded, the file is stored in a publicly accessible location. A subsequent `GET` request to this file's path triggers the script execution in the browser. The content-type response of `image/svg+xml` confirms that the browser interprets the file as an image, aiding the XSS payload delivery.

If exploited, this vulnerability allows attackers to execute scripts in the context of Kentico users who visit the resource. Potential consequences include session hijacking, user impersonation, or redirecting users to malicious websites. In environments with privileged users, this may escalate to full admin compromise or data theft. Attackers can leverage this as a foothold for broader compromise or lateral movement within internal networks. It may also affect brand reputation if publicly exploited. The unauthenticated nature of the flaw increases the likelihood of mass exploitation by bots or automated scanners.

REFERENCES

• https://labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/
• https://devnet.kentico.com/download/hotfixes