CVE-2025-68454 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2025-68454?

CVE-2025-68454 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated remote code execution in Craft CMS via Twig Server-Side Template Injection. Attackers with administrator access (or non-administrators with access to System Messages utility) can execute arbitrary code on the server. Affects Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16.

📋 TL;DR

This vulnerability allows authenticated remote code execution in Craft CMS via Twig Server-Side Template Injection. Attackers with administrator access (or non-administrators with access to System Messages utility) can execute arbitrary code on the server. Affects Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16.

💻 Affected Systems

Products:

Craft CMS

Versions: 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires authenticated access (admin or System Messages utility) and allowAdminChanges enabled (against recommendations for production).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Authenticated attackers with admin privileges or System Messages access achieve remote code execution, potentially leading to data theft or system takeover.

🟢

If Mitigated

With allowAdminChanges disabled and proper access controls, risk is limited to authorized administrators only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and specific conditions, but the vulnerability is well-documented in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.21 and 4.16.17

Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383

Restart Required: No

Instructions:

1. Backup your Craft CMS installation and database. 2. Update Craft CMS to version 5.8.21 (for Craft 5) or 4.16.17 (for Craft 4). 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable allowAdminChanges

all

Set allowAdminChanges to false in config/general.php to prevent admin changes in production environments.

In config/general.php: 'allowAdminChanges' => false

Restrict System Messages Access

all

Limit access to System Messages utility to trusted administrators only.

🧯 If You Can't Patch

Disable allowAdminChanges in production environments immediately.
Implement strict access controls and monitor for suspicious admin activity.

🔍 How to Verify

Check if Vulnerable:

Check Craft CMS version via Control Panel → Utilities → System Report or by examining composer.json.

Check Version:

php craft --version

Verify Fix Applied:

Confirm version is 5.8.21 or higher (for Craft 5) or 4.16.17 or higher (for Craft 4).

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity, especially in System Messages or Settings sections
Suspicious Twig template modifications

Network Indicators:

Unusual outbound connections from Craft CMS server

SIEM Query:

source="craft.log" AND ("System Messages" OR "Settings" OR "Twig") AND ("modif*" OR "exec*" OR "shell*")

📊 Metadata

CVE ID: CVE-2025-68454

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

EPSS Score: 0.43% exploit probability (62.1th percentile)

Published: January 5, 2026

Last Updated: January 12, 2026

🔗 References

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 Product,Release Notes
https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe Patch
https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68454, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

Craft Cms by Craftcms

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable allowAdminChanges

Restrict System Messages Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities