Full Report
A high-severity security flaw impacting the Craft content management system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1), which impacts Craft CMS versions 4 and 5. It was addressed by the
Analysis Summary
# Vulnerability: Craft CMS Code Injection via Compromised Security Keys
## CVE Details
- CVE ID: CVE-2025-23209
- CVSS Score: 8.1 (High)
- CWE: Code Injection
## Affected Systems
- Products: Craft CMS
- Versions:
- Version 4.x: `>= 4.0.0-RC1` and `< 4.13.8`
- Version 5.x: `>= 5.0.0-RC1` (up to but not including 5.5.8)
- Configurations: All unpatched versions where the user security key has been compromised (the method of compromise is currently unclear).
## Vulnerability Description
Craft CMS contains a code injection vulnerability that allows for Remote Code Execution (RCE) in vulnerable versions if the application's user security keys have been compromised. The vulnerability stems from how the system handles these keys, enabling an attacker to potentially execute arbitrary code.
## Exploitation
- Status: Actively exploited in the wild (Flagged by CISA on KEV catalog)
- Complexity: Not explicitly stated, but RCE vulnerabilities are generally considered Medium to High complexity.
- Attack Vector: Likely Network, given the context of RCE in a CMS, although specific attack chain details are missing.
## Impact
- Confidentiality: High (Inferred from RCE capability)
- Integrity: High (Inferred from RCE capability)
- Availability: High (Inferred from RCE capability)
## Remediation
### Patches
- Craft CMS Version 4: Update to **4.13.8** or later.
- Craft CMS Version 5: Update to **5.5.8** or later.
### Workarounds
- If immediate updating is not possible, organizations should **rotate the security key** for the affected Craft CMS installation and strictly ensure the **privacy** of the new key.
## Detection
- Detection methods are not specified in the source material, but monitoring for unauthorized changes to application configuration or unusual process execution originating from the web server environment should be prioritized.
## References
- Vendor Advisory (GitHub): https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
- CISA KEV Catalog Entry (Inferred): https://www.cisa.gov/news-events/alerts/2025/02/20/cisa-adds-two-known-exploited-vulnerabilities-catalog