A high-severity safety flaw impacting the Craft content material control device (CMS) has been added via the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to its Recognized Exploited Vulnerabilities (KEV) catalog, in line with proof of lively exploitation.
The vulnerability in query is CVE-2025-23209 (CVSS ranking: 8.1), which affects Craft CMS variations 4 and 5. It used to be addressed via the venture maintainers in past due December 2024 in variations 4.13.8 and 5.5.8.
“Craft CMS comprises a code injection vulnerability that permits for faraway code execution as prone variations have compromised consumer safety keys,” the company mentioned.
The vulnerability impacts the next model of the instrument –
- >= 5.0.0-RC1, < 5.5.5
- >= 4.0.0-RC1, < 4.13.8
In an advisory launched on GitHub, Craft CMS famous that each one unpatched variations of Craft with a compromised safety key are impacted via the safety defect.
“If you’ll be able to’t replace to a patched model, then rotating your safety key and making sure its privateness will assist to mitigate the problem,” it famous.
It is recently now not transparent how the consumer safety keys had been compromised, and in what context. To relieve the danger posed via the vulnerability, it is advisable that Federal Civilian Govt Department (FCEB) businesses follow the essential fixes via March 13, 2025.