CVE-2025-14700 – This critical vulnerability in Crafty Controlle... (How to Fix)

Q: What is the severity of CVE-2025-14700?

CVE-2025-14700 has a CVSS score of 9.9 (CRITICAL). This critical vulnerability in Crafty Controller's Webhook Template component allows authenticated attackers to execute arbitrary code on the server through template injection. All Crafty Controller instances with the vulnerable component are affected, potentially giving attackers full system control.

📋 TL;DR

This critical vulnerability in Crafty Controller's Webhook Template component allows authenticated attackers to execute arbitrary code on the server through template injection. All Crafty Controller instances with the vulnerable component are affected, potentially giving attackers full system control.

💻 Affected Systems

Products:

Crafty Controller

Versions: Crafty 4 versions prior to the fix

Operating Systems: All platforms running Crafty Controller

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the webhook template functionality. All default installations with webhook features enabled are vulnerable.

📦 What is this software?

Crafty Controller by Craftycontrol

View all CVEs affecting Crafty Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands, steal data, install persistent backdoors, pivot to other systems, and disrupt operations.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and input validation are implemented, though risk remains significant.

🌐 Internet-Facing: HIGH - Webhook endpoints are typically internet-facing, allowing remote authenticated attackers to exploit this vulnerability from anywhere.

🏢 Internal Only: HIGH - Even internally, authenticated users can exploit this to gain elevated privileges and compromise the system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. Template injection vulnerabilities are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitLab issue for specific fixed version

Vendor Advisory: https://gitlab.com/crafty-controller/crafty-4/-/issues/646

Restart Required: Yes

Instructions:

1. Check the GitLab issue for the latest patched version. 2. Update Crafty Controller to the patched version. 3. Restart the Crafty Controller service. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Disable Webhook Templates

all

Temporarily disable or restrict access to webhook template functionality

# Modify Crafty Controller configuration to disable webhook templates
# Check documentation for specific configuration options

Restrict Authentication

all

Limit authentication to only trusted users and implement strong access controls

# Review and tighten authentication mechanisms
# Implement IP whitelisting if possible

🧯 If You Can't Patch

Implement strict network segmentation to isolate Crafty Controller from critical systems
Apply strict input validation and sanitization to all template inputs

🔍 How to Verify

Check if Vulnerable:

Check Crafty Controller version against the vulnerable range specified in the GitLab issue

Check Version:

# Check Crafty Controller version through web interface or configuration files

Verify Fix Applied:

Verify the Crafty Controller version matches or exceeds the patched version mentioned in the advisory

📡 Detection & Monitoring

Log Indicators:

Unusual template processing errors
Suspicious webhook template modifications
Unexpected system command execution

Network Indicators:

Unusual outbound connections from Crafty Controller
Suspicious payloads in webhook requests

SIEM Query:

Example: 'source="crafty-controller" AND (template_error OR webhook_injection)'

📊 Metadata

CVE ID: CVE-2025-14700

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-1336

EPSS Score: 0.08% exploit probability (24.4th percentile)

Published: December 17, 2025

Last Updated: December 23, 2025

🔗 References

https://gitlab.com/crafty-controller/crafty-4/-/issues/646 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14700, you might also want to check these: