CVE-2025-23209
Published: 18 January 2025
Summary
CVE-2025-23209 is a high-severity Code Injection (CWE-94) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
Craft CMS versions 4 and 5 contain a remote code execution vulnerability tracked as CVE-2025-23209 and assigned CWE-94. The flaw is present in unpatched installations where the application's security key has already been compromised, allowing code injection that can lead to full compromise of the affected system. It carries a CVSS 3.1 score of 8.0 reflecting network attack vector, high complexity, low privileges, required user interaction, changed scope, and high impact on confidentiality, integrity, and availability.
An attacker who has obtained the security key can exploit the issue remotely to execute arbitrary code on the Craft installation. The attack requires the key to already be exposed and succeeds against any unpatched Craft 4 or 5 instance that still uses the compromised key.
The official advisory and patches state that the vulnerability is fixed in Craft 5.5.8 and 4.13.8. Administrators unable to update immediately are advised to rotate their security keys and restrict access to them. The issue appears in the CISA Known Exploited Vulnerabilities catalog, and its EPSS score rose from lower values to a peak of 0.1913, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0208
Vulnerability details
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone…
more
running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
- CWE(s)
- KEV Date Added
- 20 February 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote code execution vulnerability in a public-facing web application (Craft CMS), directly enabling exploitation of public-facing applications for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through patching to Craft CMS 5.5.8 or 4.13.8 directly eliminates the RCE vulnerability exploiting compromised security keys.
Establishes and manages cryptographic keys, enabling rotation of compromised security keys to mitigate exploitation as recommended for unpatchable systems.
Vulnerability scanning identifies unpatched Craft CMS installations vulnerable to RCE when security keys are compromised, enabling targeted remediation.