External risk intelligence

Craft CMS Arbitrary Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2025-35939

This vulnerability in Craft CMS allows unauthenticated users to inject arbitrary code into server-side session files. This could lead to unauthorized code execution, impacting systems and potentially exposing sensitive data. Organizations should prioritize applying vendor patches to mitigate this risk.

4Halo Surface Signal

Craftcms Craft Cms

before 4.15.35.0.0 to before 5.7.5

External exposure likelihood

Halo Surface Signal score for CVE-2025-35939

Craft CMS is a content management system designed to be deployed as a public-facing web application. Since it operates as an internet-accessible web service that processes incoming HTTP requests, the vulnerable component is commonly exposed to the public internet by design.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Craft CMS allows unauthenticated users to introduce arbitrary values, such as PHP code, into session files stored on the server. This occurs because the system does not properly sanitize parameters in return URLs, which are then used to name session files. This vulnerability could potentially lead to the execution of unintended code.

  • Vulnerable component: Craft CMS session files
  • Core weakness: Unsanitized return URL parameters
  • Main business impact: Potential for arbitrary code execution

Attack Path

How an attacker could exploit the issue

An unauthenticated user can introduce arbitrary values, such as PHP code, into session files on the server by manipulating return URL parameters. This occurs because Craft CMS does not sanitize these parameters when redirecting requests that require authentication. The session files are created in a predictable location on the server, allowing the malicious input to be stored.

  • Exposure condition: Unauthenticated access to Craft CMS.
  • Attacker starting point: Network.
  • Trigger and result: Inject code into session files.

Live Threat

Current exploitation, exposure, and threat context

The Craft CMS vulnerability presents a significant risk to organizations utilizing the platform. Attackers can potentially inject arbitrary code into session files, leading to unauthorized access and execution on the server. This could result in data compromise and system disruption, impacting business operations. Organizations should consider this a high-priority issue.

  • Likely attacker skill level: Low
  • Required access or conditions: None
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization should address an unauthenticated user's ability to inject arbitrary code into session files on the server. This vulnerability could potentially lead to code execution, impacting system integrity and business operations. The known exploited vulnerabilities catalog lists this issue, indicating a potential for active exploitation by attackers.

  • Find all Craft CMS assets.
  • Reduce exposure or isolate affected systems.
  • Apply vendor fixes and validate.
  • Monitor for related activities.

Frequently asked questions

What is the primary vulnerability in Craft CMS related to session files and unauthenticated user input?

Craft CMS has a vulnerability where unauthenticated users can inject arbitrary values, like PHP code, into session files. This happens because the system doesn't properly sanitize return URL parameters used in session file naming, potentially allowing for unintended code execution.

How does the unsanitized return URL parameter in Craft CMS lead to a security weakness?

The weakness stems from Craft CMS not sanitizing parameters in return URLs. Unauthenticated clients can insert arbitrary values, such as PHP code, into these parameters. This input is then used in the naming of session files stored locally on the server, creating a path for potential code injection.

What is the potential impact of an unauthenticated client introducing arbitrary values into Craft CMS session files?

When an unauthenticated client introduces arbitrary values, like PHP code, into Craft CMS session files, it can lead to the execution of unintended code on the server. This exploitation could result in unauthorized access and compromise of the system's integrity.

How does the Halo Surface Signal assess the relevance of this Craft CMS vulnerability?

Halo Surface Signal scores this vulnerability as 'Likely' because Craft CMS is typically a public-facing web application. Its design involves processing incoming HTTP requests, meaning the vulnerable component is inherently exposed to the internet, increasing its potential for exploitation.

What practical steps should an organization take to address the Craft CMS arbitrary code execution vulnerability?

Organizations should first identify all Craft CMS assets, then reduce exposure or isolate affected systems. Applying vendor-released fixes for versions 4.15.3 and 5.7.5 is crucial. Finally, continuous monitoring for related malicious activities is recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified