The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a significant security flaw in the Craft content management system (CMS), adding it to their Known Exploited Vulnerabilities (KEV) list due to ongoing active exploitation.
The issue is identified as CVE-2025-23209, with a CVSS score of 8.1, affecting Craft CMS versions 4 and 5. This vulnerability was patched by the Craft CMS team in December 2024, with updates released in versions 4.13.8 and 5.5.8.
According to CISA, the vulnerability involves a code injection flaw that can lead to remote code execution, as affected versions have exposed user security keys.
The specific versions impacted are:
Versions >= 5.0.0-RC1 and < 5.5.5 Versions >= 4.0.0-RC1 and < 4.13.8 Craft CMS released an advisory on GitHub stating that all unpatched versions with compromised security keys are vulnerable to this security flaw.
The advisory further recommends rotating the security key and ensuring its confidentiality if users are unable to immediately upgrade to a patched version.
The method of security key compromise remains unclear, including the circumstances surrounding it. To mitigate the risk of exploitation, CISA urges that Federal Civilian Executive Branch (FCEB) agencies implement the required fixes by March 13, 2025.
