RCE in Craft CMS prior to 5.5.8/4.13.8 when security key compromised
CVE-2025-23209 Published on January 18, 2025
Potential RCE with a compromised security key in craft/cms
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
Known Exploited Vulnerability
This Craft CMS Code Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Craft CMS contains a code injection vulnerability that allows for remote code execution as vulnerable versions have compromised user security keys.
The following remediation steps are recommended / required by March 13, 2025: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2025-23209 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2025-23209 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2025-23209
Want to know whenever a new CVE is published for Craftcms Craft Cms? stack.watch will email you.
Affected Versions
craftcms cms:- Version >= 5.0.0-RC1, < 5.5.5 is affected.
- Version >= 4.0.0-RC1, < 4.13.8 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-23209
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | craftcms/cms | >= 4.13.8, < 4.16.3 | 4.16.3 |
| composer | craftcms/cms | >= 5.5.8, < 5.8.4 | 5.8.4 |
| composer | craftcms/cms | >= 5.0.0-RC1, < 5.5.5 | 5.5.8 |
| composer | craftcms/cms | >= 4.0.0-RC1, < 4.13.8 | 4.13.8 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.