CVE-2025-68455
📋 TL;DR
This vulnerability allows authenticated remote code execution in Craft CMS when an attacker with administrator access uploads a malicious Behavior attachment. It affects Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. Attackers must have administrator credentials to exploit this vulnerability.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.
Likely Case
Data theft, website defacement, or installation of backdoors by compromised administrators or attackers who have stolen admin credentials.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though still concerning due to RCE potential.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once authenticated. The vulnerability is in how Craft handles Behavior attachments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.21 and 4.16.17
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
Restart Required: No
Instructions:
1. Backup your Craft CMS installation and database. 2. Update to Craft CMS 5.8.21 if using version 5.x. 3. Update to Craft CMS 4.16.17 if using version 4.x. 4. Verify the update was successful by checking the version in the Control Panel.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator account access to trusted users only and implement strong authentication controls.
Monitor Administrator Activity
allEnable detailed logging of administrator actions, particularly Behavior attachment uploads.
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts and use multi-factor authentication.
- Monitor logs for suspicious administrator activity, especially Behavior attachment uploads.
🔍 How to Verify
Check if Vulnerable:
Check your Craft CMS version in the Control Panel under Settings → System → System Status. If version is between 5.0.0-RC1 and 5.8.20 or between 4.0.0-RC1 and 4.16.16, you are vulnerable.Check Version:
Check via Craft Control Panel: Settings → System → System Status, or check composer.json for version.Verify Fix Applied:
After updating, verify the version shows as 5.8.21 or higher for version 5.x, or 4.16.17 or higher for version 4.x in the Control Panel.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator login times or locations
- Suspicious Behavior attachment uploads
- Unexpected PHP execution or system commands
Network Indicators:
- Unusual outbound connections from the Craft CMS server
- Traffic to known malicious IPs or domains
SIEM Query:
Example: 'source="craft.log" AND ("admin login" OR "behavior upload" OR "attachment") AND status="success"'🔗 References
- https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
- https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
- https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
- https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
- https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
- https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
