CVE-2025-23209: Potential RCE with a compromised security key in craft/cms

8.1 CVSS

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

Known Exploited

🚨 Marked as known exploited on February 20th, 2025 (about 2 months ago).

Classification

CVE ID: CVE-2025-23209

CVSS Base Severity: HIGH

CVSS Base Score: 8.1

CVSS Vector:

Affected Products

Vendor: craftcms

Product: cms

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.97% (scored less or equal to compared to others)

EPSS Date: 2025-02-20 (when was this score calculated)

References

https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret

Timeline

2025-01-21 20:15:19 UTC
Github Advisory Database (Composer)

[craftcms/cms] Craft CMS has a potential RCE with a compromised security key
2025-01-23 00:30:50 UTC
CVE

Potential RCE with a compromised security key in craft/cms
2025-02-20 15:45:17 UTC
CISA KEV

Craft CMS Code Injection Vulnerability
2025-02-20 15:46:41 UTC
🚨 Marked as Known Exploited
2025-02-21 08:30:21 UTC
TheHackerNews

CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks