CVE-2025-66304
📋 TL;DR
Grav CMS versions before 1.8.0-beta.27 expose password hashes to users with read access to the admin panel's user management section. This allows attackers with basic admin panel access to potentially crack passwords and escalate privileges. All Grav installations with admin panel access are affected.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Attackers crack admin password hashes, gain full administrative control, and compromise the entire Grav installation and underlying server.
Likely Case
Privileged users with read-only access extract password hashes, crack weaker passwords, and escalate their privileges within the system.
If Mitigated
With strong password policies and proper access controls, hash cracking becomes difficult, limiting impact to information disclosure only.
🎯 Exploit Status
Exploitation requires authenticated access to admin panel with user management read permissions. Hash extraction is trivial once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27 and later
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85
Restart Required: No
Instructions:
1. Backup your Grav installation. 2. Update Grav to version 1.8.0-beta.27 or later via GPM: 'bin/gpm selfupgrade' then 'bin/gpm update'. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Admin Panel Access
allLimit access to admin panel to only trusted administrators who require write access.
Implement Strong Password Policies
allEnforce complex passwords and regular password rotation to make hash cracking more difficult.
🧯 If You Can't Patch
- Implement strict access controls to limit who can view the user management section
- Force password resets for all users, especially administrators
🔍 How to Verify
Check if Vulnerable:
Check Grav version via admin panel dashboard or run 'bin/grav version' in terminal. If version is below 1.8.0-beta.27, system is vulnerable.Check Version:
bin/grav versionVerify Fix Applied:
After updating, verify version is 1.8.0-beta.27 or higher. Test that password hashes are no longer visible in user management section.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to user management pages
- Multiple failed login attempts followed by successful login from same IP
Network Indicators:
- Unusual API calls to user data endpoints from non-admin users
SIEM Query:
source="grav_access.log" AND (uri_path="/admin/users" OR uri_path="/admin/user") AND user_agent NOT IN ("admin_user1", "admin_user2")