CVE-2025-23209
📋 TL;DR
This is a remote code execution vulnerability in Craft CMS versions 4 and 5 that allows attackers to execute arbitrary code on affected systems. The vulnerability requires that the Craft security key has already been compromised through other means. All unpatched Craft 4 and 5 installations with compromised security keys are vulnerable.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.
Likely Case
Unauthorized access to the CMS, data exfiltration, website defacement, or installation of backdoors.
If Mitigated
No impact if security keys are properly protected and systems are patched.
🎯 Exploit Status
Exploitation requires prior compromise of the Craft security key, which adds a prerequisite step for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Craft 5.5.8 and Craft 4.13.8
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
Restart Required: No
Instructions:
1. Backup your database and files. 2. Update Craft CMS to version 5.5.8 (for Craft 5) or 4.13.8 (for Craft 4). 3. Verify the update was successful by checking the version in the control panel.
🔧 Temporary Workarounds
Rotate Security Keys
allGenerate new security keys to invalidate any previously compromised keys
php craft setup/security-key
🧯 If You Can't Patch
- Immediately rotate all Craft security keys using the setup/security-key command
- Implement strict access controls and monitoring for the Craft CMS installation
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version in the control panel or via command line: php craft --versionCheck Version:
php craft --versionVerify Fix Applied:
Confirm version is 5.5.8 or higher (for Craft 5) or 4.13.8 or higher (for Craft 4)📡 Detection & Monitoring
Log Indicators:
- Unusual PHP file execution patterns
- Unexpected process creation from web server
- Suspicious POST requests to Craft endpoints
Network Indicators:
- Unusual outbound connections from web server
- Traffic to known malicious IPs
SIEM Query:
source="craft.log" AND ("security key" OR "unauthorized" OR "RCE")🔗 References
- https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
- https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
- https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209
