The U.S. Cybersecurity & Infrastructure Safety Company (CISA) warns {that a} Craft CMS distant code execution flaw is being exploited in assaults.
The flaw is tracked as CVE-2025-23209 and is a excessive severity (CVSS v3 rating: 8.0) code injection (RCE) vulnerability impacting Craft CMS variations 4 and 5.
Craft CMS is a content material administration system (CMS) used for constructing web sites and customized digital experiences.
Not many technical particulars about CVE-2025-23209 can be found, however exploitation is not simple, because it requires the set up’s security key to have already been compromised.
In Craft CMS, the security secret’s a cryptographic key that secures consumer authentication tokens, session cookies, database values, and delicate utility knowledge.
The CVE-2025-23209 vulnerability solely turns into a difficulty if an attacker has already obtained this security key, which opens the best way to decrypt delicate knowledge, generate faux authentication tokens, or inject and execute malicious code remotely.
CISA has added the flaw to KEV with out sharing any details about the scope and origin of the assaults and who the targets are.
Federal companies have till March 13, 2025, to patch the Craft CMS flaw.
The flaw has been patched in Craft model 5.5.8 and 4.13.8, so customers are really useful to improve to these releases or later as quickly as attainable.
In the event you suspect compromise, it is strongly recommended that you simply delete previous keys contained in ‘.env’ recordsdata and generate new ones utilizing php craft setup/security-key command. Notice that key modifications render any knowledge encrypted with a earlier key inaccessible.
Together with CVE-2025-23209, CISA additionally added a vulnerability in Palo Alto Networks firewalls (CVE-2025-0111) to the Identified Exploited Vulnerability catalog, setting the identical deadline for March 13.
This can be a file learn vulnerability impacting PAN-OS firewalls, which the seller disclosed is exploited by hackers as a part of an exploit chain with CVE-2025-0108 and CVE-2024-9474.
For the PAN-OS variations that handle this flaw, impacted customers can take a look at Palo Alto Networks’ security bulletin.
