CVE-2025-23209
published 2025-01-18CVE-2025-23209: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that…
PriorityP182high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-13
Exploited in the wild
EPSS
4.71%
90.7th percentile
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.13.8 | 4.13.8 |
| craftcms | cms | >= 4.13.8 < 4.16.3 | 4.16.3 |
| craftcms | cms | >= 5.0.0-RC1 < 5.5.8 | 5.5.8 |
| craftcms | cms | >= 5.5.8 < 5.8.4 | 5.8.4 |
| craftcms | craft_cms | < 4.13.8 | 4.13.8 |
| craftcms | craft_cms | < 5.5.8 | 5.5.8 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 4.13.8 < 4.16.3 | 4.16.3 |
| craftcms | craft_cms | >= 5.5.8 < 5.8.4 | 5.8.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-23209 requires a pre-compromised security key to exploit; monitor for unauthorized access to or exfiltration of the Craft CMS CRAFT_SECURITY_KEY environment variable, as its compromise is a prerequisite for the RCE chain. ↗
- →Alert on unexpected or unauthorized file creation within the Craft CMS /storage/backups directory, as this is a required precondition for the bypass exploit (CVE-2025-54417) that enables RCE via /updater/restore-db. ↗
- →Monitor HTTP requests to the /updater/restore-db endpoint for anomalous or unauthenticated access patterns, particularly those originating from unexpected sources or containing crafted database backup path parameters. ↗
- →The vulnerability is described as a code injection flaw caused by improper validation of the database backup path; inspect WAF/web server logs for path traversal or unusual path values in backup-related requests. ↗
- ·Exploitation of CVE-2025-23209 is only possible if the Craft CMS security key has already been compromised. The security key protects authentication tokens, session cookies, database values, and sensitive application data — its compromise is a hard prerequisite for this RCE. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
vulncheck8.0HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS has a theoretical bypass for CVE-2025-23209
osv·2025-08-08·CVSS 8.1
CVE-2025-54417 [HIGH] Craft CMS has a theoretical bypass for CVE-2025-23209
Craft CMS has a theoretical bypass for CVE-2025-23209
**Pre-requisites:**
* Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret)
* Somehow, manage to create an arbitrary file in Craft’s `/storage/backups` folder.
With those two pieces in place, you could create a specific, malicious request to the `/updater/restore-db` endpoint to execute CLI commands remotely.
Fixed in https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57
Reported by Marco O. (segfault)
GHSA
Craft CMS has a theoretical bypass for CVE-2025-23209
ghsa·2025-08-08·CVSS 8.1
CVE-2025-54417 [HIGH] CWE-94 Craft CMS has a theoretical bypass for CVE-2025-23209
Craft CMS has a theoretical bypass for CVE-2025-23209
**Pre-requisites:**
* Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret)
* Somehow, manage to create an arbitrary file in Craft’s `/storage/backups` folder.
With those two pieces in place, you could create a specific, malicious request to the `/updater/restore-db` endpoint to execute CLI commands remotely.
Fixed in https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57
Reported by Marco O. (segfault)
OSV
Craft CMS has a potential RCE with a compromised security key
osv·2025-01-21
CVE-2025-23209 [HIGH] Craft CMS has a potential RCE with a compromised security key
Craft CMS has a potential RCE with a compromised security key
### Impact
This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
Anyone running an unpatched version of Craft with a compromised security key is affected.
### Patches
This has been patched in Craft 5.5.8 and 4.13.8.
### Workarounds
If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue.
### References
https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
GHSA
Craft CMS has a potential RCE with a compromised security key
ghsa·2025-01-21
CVE-2025-23209 [HIGH] CWE-94 Craft CMS has a potential RCE with a compromised security key
Craft CMS has a potential RCE with a compromised security key
### Impact
This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
Anyone running an unpatched version of Craft with a compromised security key is affected.
### Patches
This has been patched in Craft 5.5.8 and 4.13.8.
### Workarounds
If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue.
### References
https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
VulnCheck
Craft CMS Code Injection Vulnerability
vulncheck·2025·CVSS 8.0
CVE-2025-23209 [HIGH] CWE-94 Craft CMS Code Injection Vulnerability
Craft CMS Code Injection Vulnerability
Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.
Affected: Craft CMS Craft CMS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-03-13
CISA
Craft CMS Code Injection Vulnerability
cisa·2025-02-20·CVSS 8.1
CVE-2025-23209 [HIGH] CWE-94 Craft CMS Code Injection Vulnerability
Vulnerability: Craft CMS Code Injection Vulnerability
Affected: Craft CMS Craft CMS
Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x ; https://nvd.nist.gov/vuln/detail/CVE-2025-23209
Remediation Due Date: 2025-03-13
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Craft CMS RCE exploit chain used in zero-day attacks to steal data
blogs_bleepingcomputer·2025-04-25·CVSS 9.0
[CRITICAL] Craft CMS RCE exploit chain used in zero-day attacks to steal data
## Craft CMS RCE exploit chain used in zero-day attacks to steal data
## Lawrence Abrams
Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense.
The vulnerabilities were discovered by Orange Cyberdefense's CSIRT, which was called in to investigate a compromised server.
As part of the investigation, they discovered that two zero-day vulnerabilities impacting Craft CMS were exploited to breach the server:
CVE-2025-32432: A remote code execution (RCE) vulnerability in Craft CMS.
CVE-2024-58136: An input validation flaw in the Yii framework used by Craft CMS.
According to a report by SensePost, the ethical hacking team of Orange Cyberdefense, the threat actors ch
Checkpoint
24th February – Threat Intelligence Report
blogs_checkpoint·2025-02-24
CVE-2025-24989 24th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24h February, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point Research covers the recent ByBit hack, one of the largest thefts in digital asset history, its implications for crypto security, and security recommendations. In this event, hackers gained access to an offline Ethereum wallet and stole $1.5 billion worth of digital assets. The attack occurred during a routine
Bleepingcomputer
CISA flags Craft CMS code injection flaw as exploited in attacks
blogs_bleepingcomputer·2025-02-21·CVSS 6.9
CVE-2025-23209 [MEDIUM] CISA flags Craft CMS code injection flaw as exploited in attacks
## CISA flags Craft CMS code injection flaw as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks.
The flaw is tracked as CVE-2025-23209 and is a high severity (CVSS v3 score: 8.0) code injection (RCE) vulnerability impacting Craft CMS versions 4 and 5.
Craft CMS is a content management system (CMS) used for building websites and custom digital experiences.
Not many technical details about CVE-2025-23209 are available, but exploitation isn't easy, as it requires the installation's security key to have already been compromised.
In Craft CMS, the security key is a cryptographic key that secures user authentication tokens, session cookies, database values, and
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secrethttps://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833xhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209
2025-01-18
Published
2025-02-20
Added to CISA KEV
Exploited in the wild