LevelBlue

LevelBlue + SentinelOne Partner to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP Request a Demo

Unauthenticated Remote Code Execution In Kentico CMS

Change theme to light
1 Minute Read by Manoj Cherukuri

CVE-2019-10068: RCE as Administrator via deserialization vulnerability in Kentico CMS 12.0.14.

Stroz Friedberg’s Cyber Solutions Security Testing team recently discovered a vulnerability, CVE-2019-10068, in the Kentico CMS platform versions 12.0.14 and earlier. This issue allows for unauthenticated remote code execution through a deserialization vulnerability in the staging service. A fix is available in the current version, 12.0.15. This vulnerability was discovered by Manoj Cherukuri and Justin LeMay. Exploit code is currently being withheld.

Stroz Friedberg’s Cyber Solutions would like to thank Kentico for working with us as part of our coordinated disclosure process to quickly remediate this vulnerability.

 

Timeline:

  • 03/13/2019 – Issue disclosed to Kentico
  • 03/14/2019 – Receipt acknowledged
  • 03/20/2019 – Vulnerability confirmed by Kentico
  • 03/22/2019 – Patch released in version 12.0.15
  • 04/15/2019 – Public disclosure

 

Vendor Advisory/Patch:

https://devnet.kentico.com/download/hotfixes#securityBugs-v12

 

Details:

The Kentico CMS application is vulnerable to a .NET object deserialization vulnerability that allows attackers to perform remote code execution and obtain unauthorized remote access. An XML encoded SOAP message within an element of the actual SOAP body was being deserialized by a SOAP Action within the staging web service. The staging service is used by the application to synchronize changes between different environments or servers.

The identified vulnerable web service is installed by default and can be exploited under the default configuration. Although the deserialization of the payload sent for synchronization is expected to happen post-authentication and only when the staging service is enabled (disabled by default), the application allows deserialization of the payload even if both these conditions are not satisfied when parsing a specially-crafted request. The only requirement for exploitation of this issue is that the staging service must use username-based authentication, which is the default configuration.

ABOUT LEVELBLUE

LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.

https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/
Vulnerabilities

Latest Intelligence

The Device Code Phishing Tsunami: What We’re Seeing in the Wild
macOS ClickFix Social Engineering Campaigns
ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026