vulnerability

Kentico Xperience: CVE-2019-10068: Deserialization of Untrusted Data

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Mar 26, 2019

Added

May 12, 2025

Modified

May 13, 2025

Description

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.

Solution

kentico-xperience-upgrade-latest

References

CVE-2019-10068
https://attackerkb.com/topics/CVE-2019-10068
http://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.html
https://devnet.kentico.com/download/hotfixes#securityBugs-v12

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report