Full Report
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks. [...]
Analysis Summary
# Vulnerability: Craft CMS Code Injection Flaw Due to Compromised Security Key (CVE-2025-23209)
## CVE Details
- CVE ID: CVE-2025-23209
- CVSS Score: Not explicitly stated, listed as exploited by CISA.
- CWE: Insufficient protection for cryptographic keys/credentials (Implied, related to security key misuse).
## Affected Systems
- Products: Craft CMS
- Versions: Craft CMS versions 4 and 5 (prior to patched versions).
- Configurations: Exploitation requires the installation's cryptographic **security key** to have already been compromised/obtained by the attacker.
## Vulnerability Description
This vulnerability is a code injection flaw residing within Craft CMS installations. It becomes exploitable only when an attacker has successfully obtained the application's `security key`. This key is used cryptographically to secure user authentication tokens, session cookies, database values, and other sensitive application data. Once the security key is known to an attacker, they can potentially decrypt sensitive data, forge valid authentication tokens, or achieve remote command execution.
## Exploitation
- Status: Exploited in the wild (Flagged by CISA on KEV catalog).
- Complexity: Medium (Relies on a precursor condition: prior compromise of the security key).
- Attack Vector: Dependent on the resulting action after key compromise (e.g., Remote Code Execution).
## Impact
- Confidentiality: High (Ability to decrypt sensitive data).
- Integrity: High (Ability to generate fake authentication tokens and potentially inject code).
- Availability: High (Potential for system disruption via remote code execution).
## Remediation
### Patches
- Craft CMS version 4 updated to **4.13.8** or later.
- Craft CMS version 5 updated to **5.5.8** or later.
### Workarounds
1. Delete old cryptographic keys found in the configuration file (likely `.env`).
2. Generate a new security key immediately for the installation using the command: `php craft setup/security-key`.
* **Warning:** Changing the security key will render any data previously encrypted with the old key inaccessible.
## Detection
- Detection strategies are not explicitly detailed, but monitoring for unauthorized changes to application secrets and identifying the execution of unexpected commands related to Craft CMS operations should be prioritized. Specific IOCs related to this vulnerability are not provided in the source text.
## References
- Vendor advisory (GHSA): hxxps://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
- CISA KEV Listing: hxxps://www.cisa.gov/news-events/alerts/2025/02/20/cisa-adds-two-known-exploited-vulnerabilities-catalog
- Official Craft CMS documentation on security key: hxxps://craftcms.com/docs/5.x/reference/config/general.html#securitykey
- Craft CMS documentation on secrets: hxxps://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret