Cyber Resilience

CVE-2025-23209

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 18 January 2025

Published
18 January 2025
Modified
24 October 2025
KEV Added
20 February 2025
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.1639 95.0th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23209 is a high-severity Code Injection (CWE-94) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

Craft CMS versions 4 and 5 contain a remote code execution vulnerability tracked as CVE-2025-23209 and assigned CWE-94. The flaw is present in unpatched installations where the application's security key has already been compromised, allowing code injection that can lead to full compromise of the affected system. It carries a CVSS 3.1 score of 8.0 reflecting network attack vector, high complexity, low privileges, required user interaction, changed scope, and high impact on confidentiality, integrity, and availability.

An attacker who has obtained the security key can exploit the issue remotely to execute arbitrary code on the Craft installation. The attack requires the key to already be exposed and succeeds against any unpatched Craft 4 or 5 instance that still uses the compromised key.

The official advisory and patches state that the vulnerability is fixed in Craft 5.5.8 and 4.13.8. Administrators unable to update immediately are advised to rotate their security keys and restrict access to them. The issue appears in the CISA Known Exploited Vulnerabilities catalog, and its EPSS score rose from lower values to a peak of 0.1913, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone…

more

running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

CWE(s)
KEV Date Added
20 February 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remote code execution vulnerability in a public-facing web application (Craft CMS), directly enabling exploitation of public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2026-28783Same product: Craftcms Craft Cms
CVE-2026-28784Same product: Craftcms Craft Cms
CVE-2025-68454Same product: Craftcms Craft Cms
CVE-2026-33157Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2026-28696Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0 — 4.13.8 · 5.0.0 — 5.5.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through patching to Craft CMS 5.5.8 or 4.13.8 directly eliminates the RCE vulnerability exploiting compromised security keys.

prevent

Establishes and manages cryptographic keys, enabling rotation of compromised security keys to mitigate exploitation as recommended for unpatchable systems.

detect

Vulnerability scanning identifies unpatched Craft CMS installations vulnerable to RCE when security keys are compromised, enabling targeted remediation.

References