CVE-2025-54417
📋 TL;DR
This vulnerability allows remote code execution in Craft CMS when attackers have a compromised security key and can create arbitrary files in the /storage/backups folder. By sending malicious requests to the /updater/restore-db endpoint, attackers can execute CLI commands on the server. Affected users are those running Craft CMS versions 4.13.8-4.16.2 or 5.5.8-5.8.3 with compromised security keys.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Limited RCE within the Craft CMS context, potentially leading to data theft, website defacement, or further privilege escalation.
If Mitigated
No impact if security keys are properly protected and file upload restrictions are enforced.
🎯 Exploit Status
Exploitation requires two preconditions: compromised security key and file creation capability in backups folder.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.16.3 and 5.8.4
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw
Restart Required: Yes
Instructions:
1. Backup your database and files. 2. Update Craft CMS to version 4.16.3 (for Craft 4) or 5.8.4 (for Craft 5). 3. Restart your web server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict access to /updater/restore-db endpoint
allBlock access to the vulnerable endpoint via web server configuration or firewall rules.
# Apache: RewriteRule ^updater/restore-db - [F]
# Nginx: location ~ /updater/restore-db { return 403; }
Secure /storage/backups directory
linuxRestrict file creation permissions in the backups folder to prevent arbitrary file uploads.
chmod 750 /path/to/craft/storage/backups
chown www-data:www-data /path/to/craft/storage/backups
🧯 If You Can't Patch
- Rotate all security keys immediately and store them securely
- Implement strict file upload validation and monitoring for /storage/backups directory
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version in admin panel or via composer show craftcms/cmsCheck Version:
composer show craftcms/cms | grep versionsVerify Fix Applied:
Verify version is 4.16.3+ (Craft 4) or 5.8.4+ (Craft 5) and test /updater/restore-db endpoint returns proper error📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /updater/restore-db endpoint
- Unexpected file creation in /storage/backups
- Suspicious CLI command execution
Network Indicators:
- POST requests to /updater/restore-db with unusual parameters
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_logs" AND (uri="/updater/restore-db" OR uri="/updater/restore-db/*")