Kentico Xperience, Arbitrary File Upload, CVE-2025-32370 (Critical)

By /

Listen to this Post

How the CVE Works:

CVE-2025-32370 exploits a flaw in Kentico Xperience (< v13.0.178) where the ContentUploader allows unauthenticated users to upload `.zip` files. While the system restricts certain file extensions, the `TryZipProviderSafe` function processes `.zip` archives and extracts their contents without proper validation. Attackers can craft malicious `.zip` files containing executable scripts (e.g., .aspx, .php) that bypass extension filters. Once extracted, these files enable remote code execution (RCE) on the server. This vulnerability is independent of SVG or XSS flaws, focusing solely on improper archive handling.

DailyCVE Form:

Platform: Kentico Xperience
Version: < 13.0.178
Vulnerability: Arbitrary File Upload
Severity: Critical
Date: 04/08/2025

What Undercode Say:

Analytics:

  • Attack Vector: Network (unauthenticated)
  • Exploitability: High (low complexity, no privileges)
  • Impact: RCE, data compromise

Exploit Commands:

  1. Craft a malicious `.zip` with a webshell (shell.aspx): 
    zip exploit.zip shell.aspx

2. Upload via vulnerable endpoint (e.g., `/CMSModules/ContentUploader/Uploader.aspx`):

curl -F "[email protected]" http://target/uploader

Protection Commands:

1. Patch to v13.0.178+:

wget https://kentico.com/security-updates -O patch.zip

2. Block unauthenticated uploads in `web.config`:

<location path="CMSModules/ContentUploader">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

Detection Code (Python):

import requests
def check_vuln(url):
response = requests.post(url + "/CMSModules/ContentUploader/Uploader.aspx", files={"file": ("test.zip", b"PK\x03\x04")})
return "TryZipProviderSafe" in response.text

Mitigation Code (PowerShell):

Disable ZIP processing temporarily
Set-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering" -Name "fileExtensions" -Value @{allowed="false"}

References:

  • Apply vendor patches immediately.
  • Audit server directories for suspicious files (.aspx, .php).
  • Restrict uploader endpoints to authenticated roles.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-32370
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top