The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated attention to a critical vulnerability affecting the Craft content management system (CMS) by incorporating it into its Known Exploited Vulnerabilities (KEV) catalog. This action is prompted by confirmed instances of active exploitation associated with this flaw.
Identified as CVE-2025-23209, this vulnerability carries a CVSS score of 8.1 and affects Craft CMS versions 4 and 5. Project maintainers issued patches for this issue in late December 2024, with updates aligning to versions 4.13.8 and 5.5.8.
CISA reported that the vulnerability allows for remote code execution due to compromised user security keys within vulnerable versions of Craft CMS. This compromise raises significant concerns regarding data integrity and system security.
The affected versions of Craft CMS include any builds beginning from 5.0.0-RC1 up to 5.5.5 and from 4.0.0-RC1 to below 4.13.8. In a GitHub advisory, the team behind Craft CMS noted that all unpatched versions with exploited security keys remain susceptible to the vulnerability. For organizations unable to swiftly update to a secure version, they suggested rotating security keys as a risk mitigation strategy.
The exact circumstances surrounding the compromise of these security keys remain unclear, further complicating the risk landscape. CISA has advised that Federal Civilian Executive Branch (FCEB) agencies prioritize addressing this issue by March 13, 2025, to safeguard against potential breaches.
Additionally, back in December 2024, Craft CMS had alerted users about another significant security flaw (CVE-2024-56145), which could lead to remote code execution if the PHP `register_argc_argv` setting was enabled—a vulnerability that has not yet been added to CISA’s KEV catalog but indicates the ongoing security challenges facing users of this platform.
This incident underscores the critical need for vigilant cybersecurity practices protective of user data and system integrity. The potential for initial access through compromised security keys aligns with tactics specified in the MITRE ATT&CK framework, specifically targeting areas related to privilege escalation and persistence. Employing comprehensive cybersecurity measures and timely updates is essential for organizations leveraging platforms such as Craft CMS, especially in light of the evolving threat landscape.
