WatchTowr Labs Blogpost: Recently joined WatchTowr and starting first blogpost about pre-auth RCE chain in "unknown software". Focused on Kentico's Xperience CMS.

• Vulnerable Configuration: Vulnerabilities affect common configurations where Staging Service is enabled with username/password auth (default disabled). Tested on Kentico Xperience 13.0.172 - 13.0.178.
• WT-2025-0006 Authentication Bypass: Kentico's CMS.Synchronization.WSE3.SyncServer service with deserialization vulnerability. Bypassed by adding appropriate SOAP header with username and password. Kentico's custom class WebServiceAuthorization overrides verification, allowing empty password hash.
• WT-2025-0007: Post-Auth Remote Code Execution: Leveraged Authentication Bypass to gain full administrative access. Exploited ProcessSynchronizationTaskData method to perform various CMS operations and achieve RCE by controlling TaskData and TaskBinaryData.
• WT-2025-0011: WSE3 Tragedy: Found another authentication bypass in obsolete Microsoft Web Service Enhancement 3.0 library. By not providing Password tag, _passwordOption remains SendNone, bypassing validation. Exploitation varies by version.
• Detection Artifact Generators: Created tools to check for vulnerabilities without providing full PoCs.
• Summary: Identified two Authentication Bypasses and a Post-Auth RCE in Kentico Xperience CMS. Thanked Kentico team for engagement.
• Timelines: Timelines for each vulnerability discovery, reproduction, CVE reservation, and vendor patch release.