# XSS To RCE By Abusing Custom File Handlers – Kentico Xperience CMS (CVE-2025-2748)
We know what you’re waiting for – this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterprises using this solution – any serious vulnerability, or chain of vulnerabilities to serious impact, is no bueno – and so we have more to tell you about today.
As you may remember from our previous blog post, Kentico’s Xperience CMS product is a CMS solution aimed at enterprises but widely used by organizations of various sizes. In our previous blog post, we walked through the discovery of numerous vulnerabilities, ultimately finding and chaining multiple Authentication Bypass vulnerabilities with a post-authentication Remote Code Execution vulnerability.
We’re keen to walk through another vulnerability chain we put together in February – going from a Cross-Site Scripting (XSS) vulnerability to full Remote Code Execution on a target Kentico Xperience CMS install – before reporting to Kentico themselves for remediation.
We can hear some of you yelling, “Laaaaaaaaaaaame!” This is for one simple fact—XSS vulnerabilities (and client-side vulnerabilities in general) are typically not our focus. Bluntly, we don’t see real-world threat actors exploiting XSS at scale in real-world incidents.
> Editors note: Please do not take this as a challenge to explain computers to us and how XSSs “acshully” are super exciting and relevant to your local ransomware gang. We get it – you defend your home network from APTs wielding XSSs and we’d encourage you to keep this delusion to your ~/diary.txt.
While we honestly didn’t see ourselves writing about XSSs this year, life never ceases to surprise us.
There are two reasons why we decided to write about this chain today:
1. The identified XSS is interesting from a technical perspective, relying on two fairly unusual (but minor) server-side flaws, which can be combined to achieve XSS.
2. Within Kentico’s Xperience CMS, privileged users have access to extremely sensitive functionality (as per most CMSs). Theoretically, this functionality could be available to us via the XSS, and thus, we have a potential path to RCE.
**Once again, we would like to highlight that Kentico was a pleasure to work with and incredibly professional—as indicated in the speed at which Kentico has resolved issues highlighted to them. This doesn’t just make things easier for us (which is arguably completely irrelevant), but most importantly, it demonstrates a real commitment to acting in the best interests of their customer base.**
Now that we’ve justified ourselves to the Internet, we can continue.
### Step 1 – Unauthenticated Resource Fetching Handler
When we review any enterprise code base, there are a number of vulnerability primitives that we look for – ultimately, we don’t know what we’ll find until we look.
While looking through the Kentico Xperience CMS codebase and mapping out unauthenticated functionality, we immediately stumbled into a handler that made us feel uneasy – taking file paths, from unauthenticated users, and returning the contents of said files.
Kentico Xperience exposes the `CMS.UIControls.GetResourceHandler` handler through `/CMSPages/GetResource.ashx` endpoint.
This handler is accessible without authentication, and its purpose is very similar to the resource handlers across all the software. As discussed, it allows unauthenticated users to fetch non-sensitive resources, like images.
Could be useful?
Let’s have a look at the code:
“`
public void ProcessRequest(HttpContext context) { if (!DebugHelper.DebugResources) { DebugHelper.DisableDebug(); OutputFilterContext.LogCurrentOutputToFile = false; } if (!context.Request.QueryString.HasKeys()) { GetResourceHandler.SendNoContent(context); } if (QueryHelper.Contains(“scriptfile”)) { GetResourceHandler.ProcessJSFileRequest(context); return; } if (QueryHelper.Contains(“image”)) { GetResourceHandler.ProcessImageFileRequest(context); // [1] return; } if (QueryHelper.Contains(“file”)) { GetResourceHandler.ProcessFileRequest(context); return; } if (QueryHelper.Contains(“scriptmodule”)) { GetResourceHandler.ProcessScriptModuleRequest(context, QueryHelper.GetString(“scriptmodule”, null)); return; } if (!string.IsNullOrEmpty(QueryHelper.GetString(“newslettertemplatename”, “”))) { new ActionResultRouteHandler().GetHttpHandler(CMSHttpContext.Current.Request.RequestContext).ProcessRequest(context); return; } CMSCssSettings cmscssSettings = new CMSCssSettings(); cmscssSettings.LoadFromQueryString(); GetResourceHandler.ProcessRequest(context, cmscssSettings); }
“`
As you can see, we fall into a group of if statements based on whether the URI sent to this handler contains various parameters, such as `image` or `file`. For instance, if your URL contains a `file` parameter, the `ProcessFileRequest` method is called with the context of the HTTP request.
Let’s consider the `ProcessImageFileRequest` function that is called for URLs containing an `image` parameter with the `GetResource.ashx` endpoint ( `[1]`) – you likely don’t need to be a genius to deduce that this functionality is designed to allow us to fetch an image.
In order to reach it, we need to send a sample HTTP request like this:
`GET /CMSPages/GetResource.ashx?image=/path/to/file`
For more detail, we can have a look at the code:
“`
private static void ProcessImageFileRequest(HttpContext context) { string text = QueryHelper.GetString(“image”, string.Empty); int num = text.IndexOf(“?”, StringComparison.Ordinal); if (num >= 0) { text = text.Substring(0, num); } if (!text.StartsWith(“/”, StringComparison.Ordinal) && !text.StartsWith(“~/”, StringComparison.Ordinal)) // [1] { text = “~/App_Themes/Default/Images/” + text; // [2] if (!CMS.IO.File.ExistsRelative(text)) { CMS.IO.Path.GetMappedPath(ref text); } } bool useCache = QueryHelper.GetString(“chset”, null) == null; GetResourceHandler.ProcessPhysicalFileRequest(context, text, “##IMAGE##”, false, useCache); }
“`
At `[1]`, the code checks if the user-supplied path provided in the value of the image parameter starts with `/` or `~/`.
If not, it appends the attacker-controlled path to the `~/App_Themes/Default/Images/` path at `[2]`.
We have some “expected” Absolute Path traversal here. We can start our path with `/` and we can potentially point the code to any location (it will soon become clear, that it’s not entirely true).
We will eventually reach the `GetResourceHandler.ProcessPhysicalFileRequest` method with the potentially modified path. This is quite a long method, thus we will show you the most interesting fragments only.
“`
private static void ProcessPhysicalFileRequest(HttpContext context, string path, string fileExtension, bool minificationEnabled, bool useCache) { string text = URLHelper.GetPhysicalPath(URLHelper.GetVirtualPath(path)); // [1] GetResourceHandler.CheckRevalidation(context, text); // [2] //… if (fileExtension == “##IMAGE##” || fileExtension == “##FILE##”) { string extension = CMS.IO.Path.GetExtension(text); if (fileExtension == “##IMAGE##” && ImageHelper.IsImage(extension)) // [3] { fileExtension = extension; } else if (fileExtension == “##FILE##” && GetResourceHandler.mAllowedFileExtensions.Contains(extension)) { fileExtension = extension; } cmsoutputResource = GetResourceHandler.GetFile(path, fileExtension, false, true); // [4] } //… }
“`
At `[1]` and `[2]`, as you’d expect, path validation and modification methods are called. They take the processed path delivered through the `image` parameter and perform operations.
Without going too deep, and as a brief tl;dr, these methods **won’t allow you to traverse past the webroot of the application**. Simply – it means that we can potentially reach any file, but this file needs to be located within the webroot of the application.
This is common .NET application behaviour, and to illustrate this we’ve walked through some examples. In the context of these examples, let’s assume that our webroot path is: `C:\inetpub\wwwroot\Kentico13\CMS`:
– `image=../../../../../../../../../Windows/win.ini`- **Prohibited**, as we are reading a file outside of `C:\inetpub\wwwroot\Kentico13` directory.
– `image=wat.png`- **Allowed**, as we are reading a file that should reside inside of the webroot
– `image=/App_Data/wat.png`- **Allowed**, as we are still inside the webroot.
At `[3]`, `IsImage` method is used to verify the file extension.
At `[4]`, the `GetResourceHandler.GetFile` is called.
Now, life is never as easy as just ‘read a file’ and true to form, we can see a list of extensions whitelisted for reading via this functionality in the default Kentico configuration:
“`
ImageHelper.mImageExtensions = new HashSet(new string[] { “bmp”, “gif”, “ico”, “png”, “wmf”, “jpg”, “jpeg”, “tiff”, “tif”, “webp”, “svg” }, StringComparer.OrdinalIgnoreCase);
“`
Luckily, we are reaching some last fragments of the source code for this part. In the `GetFile` method, we have several interesting lines of code:
“`
private static CMSOutputResource GetFile(string path, string extension, bool resolveCSSUrls, bool binary) { //… if (binary) { array = GetResourceHandler.ReadBinaryFile(physicalPath, extension); // [1] } //.. if (!(a == “.css”)) { if (!(a == “.js”)) { cmsoutputResource.ContentType = MimeTypeHelper.GetMimetype(extension, “application/octet-stream”); // [2] } //… } else { cmsoutputResource.ContentType = “text/css; charset=utf-8”; } return cmsoutputResource; }
“`
At `[1]`, the code reads the content of our file with the `ReadBinaryFile` method:
“`
private static byte[] ReadBinaryFile(string path, string fileExtension) { //.. try { result = CMS.IO.File.ReadAllBytes(path); } //.. return result; }
“`
Then at `[2]`, **the functionality dynamically retrieves the MIME type, based on the file extension**.
Please accept our sincere apologies for spamming you with a decent amount of the source code. It was important contextually to walk through the main flow and other aspects of this handler. Now, we can summarize.
1. `GetResourceHandler` allows you to read files from the Kentico webroot directory (and its child directories).
2. You have several processors available: `file`, `image` and others.
3. The code always verifies the file extension and the list of allowed extensions depends on the processor selected.
Those who deal with application security likely noticed that `svg` is an allowed extension for image processing (also allowed in the `file` processor).
TL;DR – `svg` extensions can be used to perform XSS – you can provide `
“`
1. Create `poc.zip`, containing `poc.svg`
2. Upload the ZIP file using the `ContentUploader` handler
“`
POST /CMSModules/Content/CMSPages/MultiFileUploader.ashx?Filename=poc.zip&Complete=false HTTP/1.1 Host: hostname Content-Length: X Content-Type: application/octet-stream ZIPCONTENTS
“`
1. Leverage the GetResource.ashx endpoint to read the SVG file, triggering the XSS, by visiting the following URL:
`http://hostname/CMSPages/GetResource.ashx?image=/App_Data/CMSTemp/MultiFileUploader/00/00000000-0000-0000-0000-000000000000/[poc.zip]/poc.svg`
You’re left with this satisfying alert – the world is doomed!
### Step 4 – Chaining with Post-Auth RCE
As we discussed earlier, in every CMS, typically by design, there are ways for privileged users to gain Remote Code Execution by design.
For the sake of a simple PoC, we just leveraged an approach involving the upload of a file.
To achieve this, we can modify the list of allowed extensions ( `Settings → Content → Media`) – using all brain cells, we add `asp` or `aspx` to the allowed extensions.
We can also specify the media upload directory in the `Media libraries folder`.
Once modified, we can just upload a new “media” file to the webroot.
### Chain TL;DR
**Cross-Site Scripting (XSS) WT-2025-0016 (CVE-2025-2748) relies upon:**
– Unauthenticated resource fetching handler, which allows the retrieval of some basic resources (like images or scripts). It implements a whitelist of extensions to read, but it turned out to be still abusable for the XSS scenarios.
– Unauthenticated file upload handler, abused to upload and store temporary files.
**Post-Authentication Remote Code Execution:**
– We abuse an authenticated and legitimate function provided by the Kentico Xperience CMS to privileged users f0r uploading files, to upload a webshell. CMS solutions are powerful by default and authenticated users typically have by-design RCE capabilities.
### Full Chain Demo
To demonstrate all of our findings, below is a video showing the execution of our full chain to gain Remote Code Execution – and execute commands on the host.
> If you’re wondering why it takes a painful number of seconds to execute the commands and receive feedback – we were too lazy to implement async handling of XHR requests and we just put sleeps into our PoC (so leave us alone, nerds).
### Summary
We hope this was an interesting walk-through and the construction of an interesting exploit chain containing fairly ‘uninteresting’ vulnerabilities to achieve something significantly impactful and painful—Remote Code Execution.
These vulnerabilities were discovered in Kentico Xperience 13 and patched by Kentico in version 13.0.178. Therefore, you should expect to be vulnerable if you’re running a version below 13.0.178.
**Once again, we want to highlight the professionalism and seriousness with which Kentico handled our reports—ultimately demonstrating a response by a vendor that should give Kentico customers confidence. As we have said before, vulnerabilities are a fact of life in many cases, but how a vendor responds tells their customers a lot about their approach to security in general.**
As always, if you want to determine whether your deployment is vulnerable, please review the “Proof of Concept” section of this blog post.
### CVE-2025-2748 Timeline
DateDetail10th February 2025Vulnerability discovered and disclosed to Kentico10th February 2025watchTowr hunts through client attack surfaces for impacted systems, and communicates with those affected11th February 2025Kentico successfully reproduced the vulnerability12th February 2025CVE reservation request submitted to MITRE6th March 2025Vendor releases patch 13.0.17824th March 2025We asked MITRE to stop processing the CVE, and instead requested VulnCheck (as a CNA) to assign a CVE. CVE-2025-2748 is assigned on the same day.
At watchTowr, we passionately believe that continuous security testing is the future and that rapid reaction to emerging threats single-handedly prevents inevitable breaches.
With the watchTowr Platform, we deliver this capability to our clients every single day – it is our job to understand how emerging threats, vulnerabilities, and TTPs could impact their organizations, with precision.
If you’d like to learn more about the **watchTowr Platform** **, our Attack Surface Management and Continuous Automated Red Teaming solution,** please get in touch.