High-strength security flaws affecting the Craft Content Management System (CMS) have been introduced to the US Cybersecurity and Infrastructure Security Agency (KEV) catalog based on evidence of active exploitation. Added by CISA.
The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1) and affects Craft CMS versions 4 and 5. Addressed by the project maintainer in late December 2024 with versions 4.13.8 and 5.5.8.
“Craft CMS contains a code injection vulnerability that allows remote code execution because a vulnerable version is breaching user security keys,” the agency said.
The vulnerability affects the next version of the software –
> = 5.0.0-RC1,<5.5.5> = 4.0.0-RC1, <4.13.8
In an advisory released on GitHub, Craft CMS noted that all unearned craft versions with compromised security keys are affected by security flaws.
“If you can’t update to a patched version, rotating the security key to ensure privacy can help mitigate the issue.”
Currently, it is not clear how the user security key has been compromised and in what context it is. To mitigate the risk poses by vulnerability, we recommend that Federal Private Enforcement Division (FCEB) agencies apply the necessary fixes by March 13, 2025.
Source link
