External risk intelligence

Craft CMS Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-23209

A remote code execution vulnerability affects Craft CMS installations with a compromised security key. This could allow attackers to execute arbitrary code, impacting systems and data. Business risk includes potential data breaches and operational disruption. Patches are available for Craft 5.5.8 and 4.13.8.

4Halo Surface Signal

Code Injection

Craftcms Craft Cms

before 4.13.8before 5.5.84.0.05.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-23209

Craft CMS is a web content management system designed to power public-facing websites and web applications. As a CMS, it is commonly deployed as an internet-accessible service, making the application surface reachable from the public internet in typical deployment scenarios.

Horizon Alert

Summary of the vulnerability and why it matters

Craft CMS installations that have a compromised security key are vulnerable to remote code execution. This flaw allows an attacker to execute arbitrary code on the affected system, potentially leading to unauthorized access and modification of data. The primary impact is the risk of attackers gaining control of the system, compromising sensitive information, and disrupting business operations.

Vulnerable: Craft CMS with a compromised security key.
Flaw: Allows remote code execution.
Impact: System compromise and data breaches.

Attack Path

How an attacker could exploit the issue

An attacker can exploit a vulnerability in Craft CMS by leveraging a compromised security key. This allows them to execute arbitrary code on the affected system, posing a significant risk to data integrity and business operations. The vulnerability affects unpatched versions of Craft 4 and 5.

Exposure: Compromised security key.
Attacker access: Remote, unauthenticated.
Trigger: Exploiting the vulnerability.
Impact: Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A remote code execution vulnerability exists in Craft CMS, affecting installations where the security key has been compromised. Successful exploitation could allow an attacker to execute arbitrary code on the affected system. This presents a significant business risk, as it could lead to data breaches, system compromise, or service disruption. Organizations running unpatched versions of Craft CMS with compromised security keys should consider this a high-priority issue.

Likely attacker skill level: High.
Required access or conditions: Compromised security key.
Business risk or urgency: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization with Craft CMS installations needs to address a remote code execution vulnerability. This issue affects specific versions of Craft 4 and 5 when the security key has been compromised. The vendor has released patches for Craft 5.5.8 and 4.13.8. For those unable to update immediately, rotating security keys and enhancing privacy measures can help mitigate the risk.

Identify all affected Craft CMS assets.
Reduce exposure by rotating security keys.
Apply vendor patches and verify fixes.
Monitor for related security incidents.

Frequently asked questions

What is the nature of the remote code execution vulnerability affecting Craft CMS?

This vulnerability allows an attacker to execute arbitrary code on affected Craft CMS installations, posing a significant risk of system compromise and data breaches. The flaw is present in Craft 4 and 5 versions when the system's security key has been compromised.

How does an attacker exploit the Craft CMS vulnerability, and what is the weakness class?

The vulnerability, classified under CWE-94 (Code Injection), is exploitable when an attacker leverages a compromised security key. This allows for remote code execution on the affected system.

What is required for an attacker to trigger this remote code execution vulnerability in Craft CMS?

An attacker needs a compromised security key to exploit this vulnerability in Craft CMS. The exploitation allows for remote code execution, impacting unpatched versions of Craft 4 and 5.

What is the relevance of the Craft CMS vulnerability, and is it listed on the CISA Known Exploited Vulnerabilities catalog?

This remote code execution vulnerability in Craft CMS is highly relevant due to the potential for system compromise and data breaches. It has been listed on the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation.

What steps should be taken to respond to the Craft CMS remote code execution vulnerability?

Organizations should identify all affected Craft CMS assets, rotate security keys to reduce exposure, and promptly apply vendor-provided patches. For Craft 5, version 5.5.8 and later are patched, and for Craft 4, version 4.13.8 and later are patched. Verifying the fixes and monitoring for related security incidents are also crucial.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.