Login Sign Up

CVE-2025-68456

9.1 CRITICAL
Authentication Bypass Denial of Service

📋 TL;DR

Unauthenticated attackers can trigger database backup operations in vulnerable Craft CMS versions, potentially causing resource exhaustion or exposing sensitive database information. This affects Craft CMS versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16. All users running these versions are vulnerable.

💻 Affected Systems

Products:
  • Craft CMS
Versions: 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with default configurations are vulnerable. Craft 3 users must upgrade to Craft 4 or 5 for fixes.

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system resource exhaustion leading to denial of service, or exposure of sensitive database information including credentials and user data.

🟠

Likely Case

Resource exhaustion causing service disruption and potential exposure of non-sensitive database information.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls limiting unauthenticated admin access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires specific admin actions but no authentication, making it relatively simple to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.21 and 4.16.17

Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr

Restart Required: Yes

Instructions:

1. Backup your database and files. 2. Update Craft CMS to version 5.8.21 (for Craft 5) or 4.16.17 (for Craft 4). 3. For Craft 3 users, upgrade to Craft 4 or 5 first. 4. Restart your web server. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Admin Access

all

Block unauthenticated access to admin endpoints using web server rules or firewall.

# Apache: RewriteRule ^/admin - [F]
# Nginx: location ~ ^/admin { deny all; }

🧯 If You Can't Patch

  • Implement strict network access controls to limit admin panel access to trusted IPs only.
  • Monitor server resources and database backup operations for unusual activity.

🔍 How to Verify

Check if Vulnerable:

Check your Craft CMS version in the admin panel or via composer show craftcms/craft.

Check Version:

composer show craftcms/craft | grep versions

Verify Fix Applied:

Confirm version is 5.8.21 or higher (for Craft 5) or 4.16.17 or higher (for Craft 4).

📡 Detection & Monitoring

Log Indicators:

  • Unusual database backup operations
  • Unauthenticated requests to admin endpoints
  • High resource usage spikes

Network Indicators:

  • HTTP requests to /admin/* endpoints from unauthenticated sources
  • Large database export traffic

SIEM Query:

source="web_logs" AND (uri_path="/admin/*" AND http_status=200) AND NOT user_agent="*bot*"

📊 Metadata

CVE ID: CVE-2025-68456
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-202
EPSS Score: 0.12% exploit probability (31.3th percentile)
Published: January 5, 2026
Last Updated: January 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68456, you might also want to check these:

CVE-2021-32743 8.8

Icinga 2 monitoring system exposes sensitive credentials (database, Redis, Elasticsearch passwords) ...

Same vulnerability type (CWE-202)
CVE-2025-25205 8.2

A vulnerability in Audiobookshelf versions 2.17.0 through 2.19.0 allows unauthenticated attackers to...

Same vulnerability type (CWE-202)
CVE-2025-69200 7.5

An unauthenticated remote attacker can trigger generation and download of configuration backup ZIP f...

Same vulnerability type (CWE-202)