What happened

CISA added CVE-2025-2749 to the Known Exploited Vulnerabilities catalog on 2026-04-20, signaling confirmed in-the-wild exploitation and setting a remediation due date of 2026-05-04 (per BOD 22-01) (CISA KEV). The issue is a path traversal in Kentico Xperience that allows an authenticated user's Staging Sync Server to upload arbitrary data to path-relative locations (NVD CVE-2025-2749; MITRE CVE). CISA directs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable (CISA KEV).

Why it matters

“Known exploited” means real adversaries are already using this bug against targets in the wild (CISA KEV). The vulnerability sits in the Staging Sync path handling for Kentico Xperience, where path-relative inputs can lead to writes outside intended directories (NVD CVE-2025-2749). That combination aligns with CWE-22 (path traversal) and CWE-434 (unrestricted file upload) class weaknesses, which NVD associates to this CVE (NVD CVE-2025-2749). For Federal Civilian Executive Branch agencies, the KEV due date is a hard remediation timeline under BOD 22-01; enterprises should treat it as a priority window as well (CISA KEV).

Technical detail

Per the published record, Kentico Xperience’s Staging Sync feature accepts input from an authenticated staging server and can be driven to write uploaded data to a path derived from path-relative components (MITRE CVE). This is characteristic of a path traversal sink, where sequences like "../" or related tokens alter the destination beyond the intended base directory (NVD CVE-2025-2749). The CWE mapping confirms the dual nature: traversal (CWE-22) combined with an upload/write capability (CWE-434) increases the impact envelope because user-supplied paths and content converge at the file system boundary (NVD CVE-2025-2749).

Preconditions include an authenticated Staging Sync Server role, making this a machine-to-machine abuse path rather than an anonymous web hit (MITRE CVE). Impact centers on content integrity and potential placement of files outside the intended synchronization scope due to path-relative resolution, which CISA flags as actively exploited and remediation-urgent via KEV inclusion (CISA KEV).

Defense

• Patch/mitigate now. CISA instructs organizations to apply vendor mitigations per the advisory, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable (CISA KEV).
• Validate inventory. Identify all Kentico Xperience instances with Staging Sync enabled and ensure each follows vendor mitigation status tracking (NVD CVE-2025-2749).
• Detection and triage focus:

- Review staging synchronization logs for path traversal indicators in import destinations (for example, parent directory tokens) consistent with CWE-22 class behavior (NVD CVE-2025-2749).

- Compare resolved write targets against a canonical base path for the site to catch out-of-scope writes associated with CWE-434-style upload misuse (NVD CVE-2025-2749).

- Correlate writes initiated by Staging Sync Server identities to ensure they do not land outside the expected synchronization tree, bearing in mind that exploitation requires an authenticated sync context (MITRE CVE).

• Governance. Track remediation against the KEV due date of 2026-05-04 and document completion in line with BOD 22-01 expectations where applicable (CISA KEV).

Lyrie Verdict

Machine-to-machine abuse is the point of failure here: an authenticated Staging Sync Server can drive path-relative writes, a textbook traversal+upload blend (NVD CVE-2025-2749). Lyrie’s take: don’t wait for human review. Enforce autonomous path normalization, base-path confinement, and per-identity write policies in the synchronization channel. At ingest, normalize requested paths and reject any that resolve outside the sanctioned root; at commit, verify destination against an allowlist derived from the site’s synchronization map—both checks operate at line rate without analyst approval, tuned to the CWE-22/CWE-434 profile (NVD CVE-2025-2749). Telemetry from these controls should be scored in real time and auto-block on violation, aligned with KEV’s “exploited now, fix now” mandate (CISA KEV).