⚠ Actively exploited
Added to CISA KEV on 2025-02-20. Federal agencies required to patch by 2025-03-13. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2025-23209 — Code Injection in Craft CMS
Severity
8.1HIGHNVD
NVD5.2CNA8.0VulnCheck8.0
EPSS
18.0%
top 4.83%
CISA KEV
KEV
Added 2025-02-20
Due 2025-03-13
Exploit
No known exploits
Affected products
Timeline
PublishedJan 18
KEV addedFeb 20
KEV dueMar 13
Latest updateAug 9
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their priva…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9