- CISA adds Craft CMS bug to its KEV catalog
- The bug was found in Craft CMS versions 4 and 5
- It allows for remote code execution
The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug in Craft CMS versions 4 and 5 to its Known Exploited Vulnerabilities (KEV) catalog, ringing the alarm for abuse in the wild.
The vulnerability is a remote code execution (RCE) flaw tracked as CVE-2025-23209, but we don’t know too many details about it, other than the fact exploitation is not that straightforward.
To abuse the bug, a threat actor first needs to have the installation security key, a cryptographic key that secures things like user authentication tokens, session cookies, database values, and more.
Decrypting sensitive data
Threat actors with possession of this bug can decrypt sensitive data, generate fake authentication tokens, or run malicious code from a distance.
Being added to KEV means that CISA has evidence someone is abusing the flaw in real-life attacks. However, the agency did not detail the attacks, so we don’t know who the threat actors are, or who the victims are. The deadline to patch the CMS is March 13, 2025. Admins should look for versions 5.5.8 and 4.13.8.
Admins suspecting compromise should delete old keys contained in the ‘.env’ files and generate new ones using php craft setup/security-key command. They should also be careful not to destroy previously encrypted data, since the new key cannot grant access to it.
Craft CMS is a content management system designed for developers and content creators. The company advertises it as a customizable and intuitive platform with powerful templating, clean control panel, and robust content modeling.
There are many ways in which cybercriminals can abuse flawed content management systems. For example, they can redirect the visitors to a malicious phishing page, stealing their sensitive data in the process. They can serve them malicious ads or, in more extreme cases, drop malware to their computers.
Leave a comment