CVE-2025-2747 Google Chronicle · YARA-L

Detect Kentico Xperience CMS Authentication Bypass (CVE-2025-2747) in Google Chronicle

Detects exploitation of CVE-2025-2747, an authentication bypass vulnerability (CWE-288) in Kentico Xperience CMS. Attackers can access protected administrative or content management endpoints via alternate paths or channels without valid credentials, enabling unauthorized access to sensitive CMS functionality. This vulnerability is actively exploited in the wild and listed in CISA KEV.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule kentico_xperience_auth_bypass_cve_2025_2747 {
  meta:
    author = "df00tech"
    description = "Detects unauthenticated access to Kentico Xperience CMS administrative paths - CVE-2025-2747"
    severity = "CRITICAL"
    yara_version = "YL2.0"
    rule_version = "1.0"
  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.network.http.response_code in (200, 201, 302)
    (
      re.regex($req.target.url, `(?i)/CMSPages/`) or
      re.regex($req.target.url, `(?i)/CMSModules/`) or
      re.regex($req.target.url, `(?i)/Admin/`) or
      re.regex($req.target.url, `(?i)/KenticoCMS/`) or
      re.regex($req.target.url, `(?i)/CMS/SiteManager`) or
      re.regex($req.target.url, `(?i)/CMSDesk`)
    )
    not re.regex($req.principal.user.userid, `^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$`)
  condition:
    $req
}
critical severity medium confidence

Chronicle YARA-L rule detecting HTTP requests to Kentico Xperience CMS administrative paths that succeed without an authenticated user identity, indicative of CVE-2025-2747 exploitation.

Data Sources

Chronicle SIEM Web Proxy LogsChronicle HTTP Event Logs

Required Tables

NETWORK_HTTP events

False Positives & Tuning

  • Kentico CMS public pages served under paths that overlap with admin path patterns
  • Service accounts whose UPN format does not match the email regex pattern
  • Anonymous public content served via CMS module infrastructure
  • Load balancer health check probes targeting CMS endpoints

Other platforms for CVE-2025-2747

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Kentico CMS Unauthenticated Admin Path Access Simulation

    Expected signal: IIS access logs will record HTTP GET requests to each tested path with the source IP of the test host; requests will appear with no authenticated username (cs_username = '-').

  2. Test 2Alternate Channel Authentication Bypass via Parameter Manipulation

    Expected signal: Web server logs capture each variant request with full URI including query string; WAF logs may flag path traversal patterns in the query string.

  3. Test 3Post-Bypass Webshell Upload Simulation via CMS File Manager

    Expected signal: Windows Security Event Log will show file creation event (Event ID 4663) for test_detection.aspx under the CMS web root; Sysmon Event ID 11 (FileCreate) will capture the new .aspx file creation with the IIS worker process (w3wp.exe) as the creator.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-2747 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1505.003Web Shell

Same Tactic: Initial Access

Popular Detections