A high-severity security flaw impacting the Craft content management system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1), which impacts Craft CMS versions 4 and 5. It was addressed by the project maintainers in late December 2024 in versions 4.13.8 and 5.5.8.
“Craft CMS contains a code injection vulnerability that allows for remote code execution as vulnerable versions have compromised user security keys,” the agency said.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The vulnerability affects the following version of the software –
- >= 5.0.0-RC1, < 5.5.5
- >= 4.0.0-RC1, < 4.13.8
In an advisory released on GitHub, Craft CMS noted that all unpatched versions of Craft with a compromised security key are impacted by the security defect.
“If you can’t update to a patched version, then rotating your security key and ensuring its privacy will help to mitigate the issue,” it noted.
It’s currently not clear how the user security keys were compromised, and in what context. To alleviate the risk posed by the vulnerability, it’s recommended that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by March 13, 2025.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware