A high-severity security flaw impacting the Craft content material administration system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The vulnerability in query is CVE-2025-23209 (CVSS rating: 8.1), which impacts Craft CMS variations 4 and 5. It was addressed by the undertaking maintainers in late December 2024 in variations 4.13.8 and 5.5.8.
“Craft CMS incorporates a code injection vulnerability that permits for distant code execution as weak variations have compromised person security keys,” the company stated.
The vulnerability impacts the next model of the software program –
- >= 5.0.0-RC1, < 5.5.5
- >= 4.0.0-RC1, < 4.13.8
In an advisory launched on GitHub, Craft CMS famous that every one unpatched variations of Craft with a compromised security key are impacted by the security defect.
“If you cannot replace to a patched model, then rotating your security key and guaranteeing its privateness will assist to mitigate the problem,” it famous.
It is at the moment not clear how the person security keys had been compromised, and in what context. To alleviate the chance posed by the vulnerability, it is advisable that Federal Civilian Govt Department (FCEB) companies apply the required fixes by March 13, 2025.
