A high-severity safety flaw impacting the Craft content material administration system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The vulnerability in query is CVE-2025-23209 (CVSS rating: 8.1), which impacts Craft CMS variations 4 and 5. It was addressed by the undertaking maintainers in late December 2024 in variations 4.13.8 and 5.5.8.
“Craft CMS comprises a code injection vulnerability that enables for distant code execution as susceptible variations have compromised person safety keys,” the company mentioned.
The vulnerability impacts the next model of the software program –
- >= 5.0.0-RC1, < 5.5.5
- >= 4.0.0-RC1, < 4.13.8
In an advisory released on GitHub, Craft CMS famous that each one unpatched variations of Craft with a compromised safety key are impacted by the safety defect.
“If you cannot replace to a patched model, then rotating your safety key and guaranteeing its privateness will assist to mitigate the difficulty,” it famous.
It is at the moment not clear how the person safety keys had been compromised, and in what context. To alleviate the danger posed by the vulnerability, it is really useful that Federal Civilian Government Department (FCEB) businesses apply the required fixes by March 13, 2025.
In December 2024, Craft CMS warned of lively exploitation of one other security flaw (CVE-2024-56145) that would lead to distant code execution when PHP `register_argc_argv` config setting is enabled. The vulnerability is but to be added to CISA’s KEV catalog.
