CVE-2025-2747

Kentico Xperience CMS Authentication Bypass (CVE-2025-2747)

Initial Access Privilege Escalation Defense Evasion Last updated:

Detects exploitation of CVE-2025-2747, an authentication bypass vulnerability (CWE-288) in Kentico Xperience CMS. Attackers can access protected administrative or content management endpoints via alternate paths or channels without valid credentials, enabling unauthorized access to sensitive CMS functionality. This vulnerability is actively exploited in the wild and listed in CISA KEV.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Kentico
Product
Xperience CMS

Weakness (CWE)

CWE-288

Timeline

Disclosed
October 20, 2025

CVSS

Unscored
Write-up coming soon

What is CVE-2025-2747 Kentico Xperience CMS Authentication Bypass (CVE-2025-2747)?

Kentico Xperience CMS Authentication Bypass (CVE-2025-2747) (CVE-2025-2747) maps to the Initial Access and Privilege Escalation and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Kentico Xperience CMS Authentication Bypass (CVE-2025-2747), covering the data sources and telemetry it touches: IIS Web Logs, Azure Application Gateway Logs, Microsoft Sentinel W3CIISLog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion
Microsoft Sentinel / Defender
kusto 
union isfuzzy=true
(
  W3CIISLog
  | where csUriStem has_any ("/CMSPages/", "/CMSModules/", "/Admin/", "/KenticoCMS/", "/cms/", "/CMS/", "/cmspages/")
  | where csUriStem has_any ("GetResource", "CMSFormControls", "GetDoc", "CMSDesk", "sitemanager", "SiteManager")
  | where scStatus in (200, 201, 302) and csUsername in ("", "-", "anonymous")
  | project TimeGenerated, Computer, csClientIP=c_ip, csMethod=cs_method, csUriStem=cs_uri_stem, csUriQuery=cs_uri_query, scStatus=sc_status, scBytes=sc_bytes, csUsername=cs_username, csUserAgent=cs_user_agent
),
(
  AzureDiagnostics
  | where Category == "ApplicationGatewayAccessLog"
  | where requestUri_s has_any ("/CMSPages/", "/CMSModules/", "/Admin/", "/KenticoCMS/")
  | where httpStatus_d in (200, 201, 302)
  | project TimeGenerated, clientIP_s, requestUri_s, httpStatus_d, userAgent_s, host_s
)
| where TimeGenerated >= ago(1d)

Detects unauthenticated or anonymously-authenticated HTTP requests to sensitive Kentico Xperience CMS administrative and module paths that return successful HTTP responses, which may indicate authentication bypass exploitation.

critical severity medium confidence

Data Sources

IIS Web Logs Azure Application Gateway Logs Microsoft Sentinel W3CIISLog

Required Tables

W3CIISLog AzureDiagnostics

False Positives

  • Legitimate public-facing CMS pages under /CMSPages/ that are intentionally unauthenticated
  • Health check or monitoring probes accessing CMS resource endpoints
  • CDN or reverse proxy pre-fetching static assets served through CMS module paths
  • Automated site crawlers or SEO tools accessing publicly exposed CMS paths

Sigma rule & cross-platform mapping

The detection logic for Kentico Xperience CMS Authentication Bypass (CVE-2025-2747) (CVE-2025-2747) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-2747 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-2747

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Kentico CMS Unauthenticated Admin Path Access Simulation

    Expected signal: IIS access logs will record HTTP GET requests to each tested path with the source IP of the test host; requests will appear with no authenticated username (cs_username = '-').

  2. Test 2Alternate Channel Authentication Bypass via Parameter Manipulation

    Expected signal: Web server logs capture each variant request with full URI including query string; WAF logs may flag path traversal patterns in the query string.

  3. Test 3Post-Bypass Webshell Upload Simulation via CMS File Manager

    Expected signal: Windows Security Event Log will show file creation event (Event ID 4663) for test_detection.aspx under the CMS web root; Sysmon Event ID 11 (FileCreate) will capture the new .aspx file creation with the IIS worker process (w3wp.exe) as the creator.

Unlock Pro Content

Get the full detection package for CVE-2025-2747 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1505.003Web Shell

Same Tactic: Initial Access

Popular Detections