CVE-2018-7046 in Kentico
Summary
by MITRE
Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/19/2025
The CVE-2018-7046 vulnerability represents a critical security flaw in Kentico content management systems version 9 through 11 that enables remote authenticated users to execute arbitrary operating system commands. This vulnerability exists within the dynamic .NET code evaluation context, specifically through the template editing functionality accessible via the Pages -> Edit -> Template -> Edit template properties -> Layout interface. The flaw allows attackers with valid user credentials to inject and execute malicious C# code within the application's template properties, creating a dangerous escalation path from authenticated access to system-level command execution.
The technical exploitation of this vulnerability occurs through the dynamic code evaluation mechanism that Kentico employs for template processing. When users edit template properties through the web interface, the system evaluates the provided C# code within a .NET runtime context that has elevated privileges. This design allows the execution of operating system commands through the use of .NET's Process.Start() or similar methods that can spawn system processes. The vulnerability specifically manifests in the template layout editing functionality where user-supplied code is directly interpreted and executed without proper sanitization or access controls. This represents a classic code injection vulnerability that falls under CWE-94, which describes the execution of arbitrary code due to insufficient input validation and improper code evaluation mechanisms.
From an operational impact perspective, this vulnerability creates a severe risk for organizations using Kentico CMS versions 9 through 11. An attacker with valid user credentials can escalate privileges from standard user access to full system command execution, potentially allowing for complete system compromise. The vulnerability enables attackers to perform actions such as file system manipulation, network reconnaissance, privilege escalation, and persistence mechanisms. The attack surface is particularly concerning because it requires only authenticated access, meaning that any user with valid login credentials could exploit this vulnerability. This aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1068 for exploit for privilege escalation, making it a significant vector for lateral movement within compromised environments.
The vendor's response that this functionality is "intended" for authorized users to edit and update ascx code layout creates a complex security consideration. While the feature may have legitimate use cases for developers and administrators, the lack of proper access controls and input validation transforms this intended functionality into a security risk. The vulnerability demonstrates a failure in implementing proper security boundaries and privilege separation within the application. Organizations should consider this as a design flaw in the application's security architecture that violates the principle of least privilege, where even authorized users should not be able to execute arbitrary operating system commands through template editing interfaces. The vulnerability highlights the importance of implementing proper code sanitization and execution context limitations in web applications, particularly those that allow dynamic code evaluation. This issue requires immediate attention through proper patching, access control restrictions, and potentially code review processes to prevent unauthorized command execution through the template editing functionality.
This vulnerability represents a significant concern for organizations relying on Kentico CMS, as it demonstrates how legitimate application features can become security risks when proper input validation and privilege controls are not implemented. The attack vector requires only authenticated access, making it particularly dangerous in environments where user accounts may be compromised through social engineering, credential theft, or other means. Organizations should implement comprehensive monitoring for unusual template modifications and consider restricting template editing privileges to only trusted administrators while applying the vendor-provided patches as soon as possible to address this critical security flaw.