CVE-2025-2746: Kentico Xperience CMS Authentication Bypass
Detects exploitation of CVE-2025-2746, an authentication bypass vulnerability (CWE-288) in Kentico Xperience CMS that allows attackers to access protected resources via alternate paths or channels without valid credentials. This vulnerability is actively exploited in the wild (CISA KEV).
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Kentico
- Product
- Xperience CMS
Weakness (CWE)
Timeline
- Disclosed
- October 20, 2025
References & Proof of Concept
CVSS
What is CVE-2025-2746 CVE-2025-2746: Kentico Xperience CMS Authentication Bypass?
CVE-2025-2746: Kentico Xperience CMS Authentication Bypass (CVE-2025-2746) maps to the Initial Access and Persistence and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2025-2746: Kentico Xperience CMS Authentication Bypass, covering the data sources and telemetry it touches: IIS Web Logs, Azure Monitor, Microsoft Defender for Endpoint. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union DeviceNetworkEvents, W3CIISLog
| where TimeGenerated >= ago(7d)
| where (
(csUriStem has_any ("/CMSPages/", "/CMSModules/", "/CMSAdminControls/", "/CMS/", "/Admin/"))
or (RequestUri has_any ("/CMSPages/", "/CMSModules/", "/CMSAdminControls/", "/CMS/", "/Admin/"))
)
| where (
(scStatus in (200, 201, 302) and csUriStem has_any ("login", "logon", "signin", "auth") == false)
or (csUriStem matches regex @"(?i)(/\.\./|%2e%2e|%252e%252e|/admin(?!.*login))")
)
| where (csUsername == "-" or csUsername == "" or isnull(csUsername))
| summarize
RequestCount = count(),
DistinctURIs = dcount(csUriStem),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
URISamples = make_set(csUriStem, 10),
UserAgents = make_set(csUserAgent, 5)
by csClientIP, csHost, bin(TimeGenerated, 5m)
| where RequestCount >= 3
| extend AlertSeverity = iff(DistinctURIs >= 5, "High", "Medium")
| project FirstSeen, LastSeen, csClientIP, csHost, RequestCount, DistinctURIs, URISamples, UserAgents, AlertSeverityDetects unauthenticated access to Kentico Xperience CMS administrative and protected paths, indicative of authentication bypass via alternate path or channel (CVE-2025-2746). Monitors IIS logs for requests to CMS admin areas without valid session credentials returning success HTTP codes.
Data Sources
Required Tables
False Positives
- Legitimate administrative users accessing CMS pages from known IP ranges without persistent session cookies (first visit after logout)
- Monitoring or health-check services that probe CMS paths without authentication headers
- Web application firewalls or load balancers that strip authentication headers before forwarding requests
- Internal security scanning tools performing authenticated scans that appear unauthenticated in logs
Sigma rule & cross-platform mapping
The detection logic for CVE-2025-2746: Kentico Xperience CMS Authentication Bypass (CVE-2025-2746) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-2746
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-2746 Authentication Bypass Path Enumeration
Expected signal: IIS access log entries showing HTTP GET requests to /CMSPages/, /CMSModules/, /CMSAdminControls/, /CMS/, and /Admin/ paths from the test host IP without a cs-username value, with HTTP response codes of 200, 302, or 401 depending on patch status.
- Test 2CVE-2025-2746 Alternate Path Channel Bypass Attempt
Expected signal: IIS logs should capture the URL-encoded and case-variant path requests. ASP.NET request normalization may cause the logged URI to differ from the requested URI — look for both raw and normalized forms in telemetry. Windows Security Event Log may show failed authorization attempts (Event ID 4625) if integrated auth is configured.
- Test 3CVE-2025-2746 Post-Exploitation CMS Account Creation Simulation
Expected signal: IIS logs showing POST request to /CMSModules/Membership/Pages/Users/User_Edit_General.aspx without authentication. Kentico CMS_EventLog table entries for user creation attempt. Windows Security Event Log entries for IIS process activity. If successful on unpatched system, CMS_User table will contain the new account.
- Test 4CVE-2025-2746 Network-Level Authentication Bypass Detection Validation
Expected signal: 10 concurrent HTTP requests to Kentico CMS paths appearing in IIS logs within a 1-second window, all from the same source IP without authentication headers. The burst pattern should appear clearly in SIEM dashboards.
Unlock Pro Content
Get the full detection package for CVE-2025-2746 including response playbook, investigation guide, and atomic red team tests.