Kentico CMS Insecure Deserialization RCE

Manieendar Mohan
Published on
16 Jun 2021

CVE-2019-10068 is a .NET object deserialization vulnerability in the Kentico CMS framework that enables attackers to perform remote code execution and gain unauthorized remote access. A SOAP Action within the staging web service deserialized an XML encoded SOAP message within an element of the actual SOAP body. The program uses the staging service to synchronize changes between servers.A malicious request to the staging service could bypass initial authentication and proceed to deserialize user-controlled.NET object input due to a failure to validate security headers. This deserialization then resulted in unauthenticated remote code execution on the Kentico instance’s server.

Mitigation / Precaution

We suggest you update to Kentico CMS version greater than 12.0.15 to fix this vulnerability.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment