CVE-2025-23209
Published: 18 January 2025
Summary
CVE-2025-23209 is a high-severity Code Injection (CWE-94) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through patching to Craft CMS 5.5.8 or 4.13.8 directly eliminates the RCE vulnerability exploiting compromised security keys.
Establishes and manages cryptographic keys, enabling rotation of compromised security keys to mitigate exploitation as recommended for unpatchable systems.
Vulnerability scanning identifies unpatched Craft CMS installations vulnerable to RCE when security keys are compromised, enabling targeted remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote code execution vulnerability in a public-facing web application (Craft CMS), directly enabling exploitation of public-facing applications for initial access.
NVD Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone…
more
running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
Deeper analysisAI
CVE-2025-23209 is a remote code execution (RCE) vulnerability classified under CWE-94 that affects Craft CMS versions 4 and 5, specifically installations where the security key has already been compromised. Craft is a flexible, user-friendly content management system used for creating custom digital experiences on the web and beyond. Systems running unpatched versions of Craft 4 or 5 with a compromised security key are vulnerable.
Exploitation requires network access, high attack complexity, low privileges (PR:L), and user interaction (UI:R), resulting in a CVSS v3.1 base score of 8.0 with changed scope and high impacts to confidentiality, integrity, and availability. An attacker with access to a compromised security key can leverage this flaw to execute arbitrary code on affected installations.
Craft has addressed the vulnerability in versions 5.5.8 and 4.13.8. Users unable to patch should rotate their security keys and ensure their privacy to mitigate risk, as detailed in Craft's knowledge base on securing secrets, the GitHub security advisory GHSA-x684-96hh-833x, and the associated patch commit.
The vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, suggesting active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 20 February 2025