cbcvebase.
CVE-2025-23209
published 2025-01-18

CVE-2025-23209: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that…

PriorityP182high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-13
Exploited in the wild
EPSS
4.71%
90.7th percentile
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

Affected

12 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms
craftcmscms>= 4.0.0-RC1 < 4.13.84.13.8
craftcmscms>= 4.13.8 < 4.16.34.16.3
craftcmscms>= 5.0.0-RC1 < 5.5.85.5.8
craftcmscms>= 5.5.8 < 5.8.45.8.4
craftcmscraft_cms< 4.13.84.13.8
craftcmscraft_cms< 5.5.85.5.8
craftcmscraft_cms
craftcmscraft_cms
craftcmscraft_cms>= 4.13.8 < 4.16.34.16.3
craftcmscraft_cms>= 5.5.8 < 5.8.45.8.4

Detection & IOCsextracted from sources · hover to see the quote

url/updater/restore-db
path/storage/backups
  • CVE-2025-23209 requires a pre-compromised security key to exploit; monitor for unauthorized access to or exfiltration of the Craft CMS CRAFT_SECURITY_KEY environment variable, as its compromise is a prerequisite for the RCE chain.
  • Alert on unexpected or unauthorized file creation within the Craft CMS /storage/backups directory, as this is a required precondition for the bypass exploit (CVE-2025-54417) that enables RCE via /updater/restore-db.
  • Monitor HTTP requests to the /updater/restore-db endpoint for anomalous or unauthenticated access patterns, particularly those originating from unexpected sources or containing crafted database backup path parameters.
  • The vulnerability is described as a code injection flaw caused by improper validation of the database backup path; inspect WAF/web server logs for path traversal or unusual path values in backup-related requests.
  • ·Exploitation of CVE-2025-23209 is only possible if the Craft CMS security key has already been compromised. The security key protects authentication tokens, session cookies, database values, and sensitive application data — its compromise is a hard prerequisite for this RCE.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
vulncheck8.0HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.