Detect CVE-2025-2746: Kentico Xperience CMS Authentication Bypass in Splunk
Detects exploitation of CVE-2025-2746, an authentication bypass vulnerability (CWE-288) in Kentico Xperience CMS that allows attackers to access protected resources via alternate paths or channels without valid credentials. This vulnerability is actively exploited in the wild (CISA KEV).
MITRE ATT&CK
SPL Detection Query
index=web OR index=iis sourcetype=iis OR sourcetype=ms:iis:auto
| eval uri=coalesce(cs_uri_stem, uri_path, url)
| eval status=coalesce(sc_status, status, http_status_code)
| eval src_ip=coalesce(c_ip, src_ip, clientip)
| eval username=coalesce(cs_username, user, username)
| where match(uri, "(?i)(/CMSPages/|/CMSModules/|/CMSAdminControls/|/CMS/|/Admin/)")
| where status IN ("200", "201", "302", "301")
| where (isnull(username) OR username="-" OR username="")
| where NOT match(uri, "(?i)(login|logon|signin|forgot|reset)")
| bucket _time span=5m
| stats
count AS request_count,
dc(uri) AS distinct_uris,
values(uri) AS uri_samples,
values(cs_user_agent) AS user_agents,
min(_time) AS first_seen,
max(_time) AS last_seen
BY _time, src_ip, cs_host
| where request_count >= 3
| eval severity=if(distinct_uris>=5, "high", "medium")
| eval cve="CVE-2025-2746"
| table first_seen, last_seen, src_ip, cs_host, request_count, distinct_uris, uri_samples, user_agents, severity, cveDetects unauthenticated HTTP requests to Kentico Xperience CMS administrative paths returning success status codes. Authentication bypass via alternate path (CWE-288) would manifest as successful access to protected CMS resources without a valid user session.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate CMS administrators accessing pages via bookmark or direct URL without active session (session expiry)
- Automated content syndication services polling public-facing CMS endpoints that share path patterns with admin areas
- Penetration testing or vulnerability scanning activity from authorized security teams
- CDN or reverse proxy infrastructure that may not forward authentication headers correctly
Other platforms for CVE-2025-2746
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-2746 Authentication Bypass Path Enumeration
Expected signal: IIS access log entries showing HTTP GET requests to /CMSPages/, /CMSModules/, /CMSAdminControls/, /CMS/, and /Admin/ paths from the test host IP without a cs-username value, with HTTP response codes of 200, 302, or 401 depending on patch status.
- Test 2CVE-2025-2746 Alternate Path Channel Bypass Attempt
Expected signal: IIS logs should capture the URL-encoded and case-variant path requests. ASP.NET request normalization may cause the logged URI to differ from the requested URI — look for both raw and normalized forms in telemetry. Windows Security Event Log may show failed authorization attempts (Event ID 4625) if integrated auth is configured.
- Test 3CVE-2025-2746 Post-Exploitation CMS Account Creation Simulation
Expected signal: IIS logs showing POST request to /CMSModules/Membership/Pages/Users/User_Edit_General.aspx without authentication. Kentico CMS_EventLog table entries for user creation attempt. Windows Security Event Log entries for IIS process activity. If successful on unpatched system, CMS_User table will contain the new account.
- Test 4CVE-2025-2746 Network-Level Authentication Bypass Detection Validation
Expected signal: 10 concurrent HTTP requests to Kentico CMS paths appearing in IIS logs within a 1-second window, all from the same source IP without authentication headers. The burst pattern should appear clearly in SIEM dashboards.
Unlock Pro Content
Get the full detection package for CVE-2025-2746 including response playbook, investigation guide, and atomic red team tests.