Cyber Resilience

CVE-2025-68455

HighPublic PoC

Published: 05 January 2026

Published
05 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0081 52.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-68455 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

Craft is a platform for creating digital experiences that is affected by CVE-2025-68455, a vulnerability assigned CWE-470. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 contain the flaw, which permits potential authenticated remote code execution through a malicious attached Behavior. The issue carries a CVSS 4.0 score of 8.6 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability when administrator privileges are present.

An attacker must already possess administrator access to the Craft Control Panel to exploit the vulnerability. With that access, the malicious Behavior can be attached to trigger remote code execution on the server.

The referenced GitHub security advisory GHSA-255j-qw47-wjh5 and associated changelog entries direct users to upgrade to the patched releases 5.8.21 or 4.16.17. Commits that address the issue are listed in the Craft CMS repository for both the 5.x and 4.x branches.

EPSS scores remain low, with a current value of 0.0114 and a peak of 0.0151.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel…

more

for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authenticated RCE in public-facing Craft CMS directly matches exploitation of a vulnerable web application for code execution on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2026-33157Same product: Craftcms Craft Cms
CVE-2026-32264Same product: Craftcms Craft Cms
CVE-2026-32263Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2026-28784Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0.1 — 4.16.17 · 5.0.1 — 5.8.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely patching to fixed Craft CMS versions 5.8.21 or 4.16.17 to eliminate the RCE vulnerability.

detect

Vulnerability scanning identifies affected Craft CMS versions in the specified ranges, enabling prioritization for remediation.

prevent

Least privilege limits administrator access to the Craft Control Panel, reducing the attack surface for authenticated exploitation.

References