CVE-2025-2749 Kentico CVE debrief

Who should care

Kentico Xperience administrators, security and vulnerability management teams, and any organization running internet-facing or business-critical Kentico Xperience deployments should prioritize this issue.

Technical summary

The available evidence shows a path traversal vulnerability affecting Kentico Xperience and an associated CISA KEV listing. CISA’s KEV entry instructs affected users to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The corpus provided here does not include a CVSS score, affected version list, or deeper exploit mechanics.

Defensive priority

High

Recommended defensive actions

• Confirm whether Kentico Xperience is deployed anywhere in your environment, including externally hosted or managed instances.
• Review Kentico’s official hotfix and mitigation guidance and apply the relevant update as soon as possible.
• Treat exposed or internet-facing deployments as highest priority for validation and remediation.
• If no effective mitigation or update is available, follow CISA’s guidance to discontinue use of the product.
• Track remediation against the KEV due date of 2026-05-04 and verify closure through patch or compensating control evidence.

Evidence notes

This debrief is based only on the supplied CISA KEV metadata and official reference links. CISA’s KEV entry names the issue as a Kentico Xperience path traversal vulnerability, marks it as known exploited, lists the date added as 2026-04-20, and sets the due date to 2026-05-04. The source notes point to Kentico hotfixes and the NVD record, but the provided corpus does not include a CVSS score, affected versions, or exploit details.

Official resources