CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks

Avatar
A high-severity security flaw impacting the Craft content management system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1), which impacts Craft CMS versions 4 and 5. It was addressed by the
[[{“value”:”

A high-severity security flaw impacting the Craft content management system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1), which impacts Craft CMS versions 4 and 5. It was addressed by the project maintainers in late December 2024 in versions 4.13.8 and 5.5.8.

“Craft CMS contains a code injection vulnerability that allows for remote code execution as vulnerable versions have compromised user security keys,” the agency said.

The vulnerability affects the following version of the software –

>= 5.0.0-RC1, < 5.5.5
>= 4.0.0-RC1, < 4.13.8

In an advisory released on GitHub, Craft CMS noted that all unpatched versions of Craft with a compromised security key are impacted by the security defect.

“If you can’t update to a patched version, then rotating your security key and ensuring its privacy will help to mitigate the issue,” it noted.

It’s currently not clear how the user security keys were compromised, and in what context. To alleviate the risk posed by the vulnerability, it’s recommended that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by March 13, 2025.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

China-linked hackers target European healthcare orgs in suspected espionage campaign

Next Post

Cisco Confirms Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks

Related Posts

CISA and FBI Raise Alerts on Exploited Flaws and Expanding HiatusRAT Campaign

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of flaws is below - CVE-2024-20767 (CVSS score: 7.4) - Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted
Avatar
Read More

New Banshee Stealer Variant Bypasses Antivirus with Apple’s XProtect-Inspired Encryption

Cybersecurity researchers have uncovered a new, stealthier version of a macOS-focused information-stealing malware called Banshee Stealer. "Once thought dormant after its source code leak in late 2024, this new iteration introduces advanced string encryption inspired by Apple's XProtect," Check Point Research said in a new analysis shared with The Hacker News. "This development allows it to
Avatar
Read More