Due to an error in the Microsoft.Web.Services3 library, it was possible for a specially crafted request on staging service to bypass the initial authentication and proceed to deserialize user-controlled input. The deserialization of the user-controlled input then led to remote code execution on the server where the Kentico instance was hosted.
Workaround for all Kentico versions
The workaround for this issue is the same for all projects, regardless of staging utilization - set the 'Staging service authentication' setting to 'X.509':
1. Navigate to 'Settings' -> 'Versioning & Synchronization' -> 'Staging'
2. Under the 'Staging service' section set 'Staging service authentication' to 'X.509'
3. 'Save' the changes
Remote Code Execution
Found in version:
12.0.14 and below
Fixed in version:
Aon’s Cyber Solutions
Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older Kentico version, it is highly recommended to upgrade to the latest version.