CVE-2025-23209 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-01-18

Added to CISA KEV: 2025-02-20 33 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update to Craft CMS 5.5.8+ or 4.13.8+ - this is an emergency patch
Rotate security keys immediately and ensure their confidentiality going forward
Review access logs for suspicious activity and unauthorized code execution attempts
Implement network monitoring for unusual outbound connections from CMS servers
PATCH PRIORITY: CRITICAL - Apply patches immediately due to active exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-23209 is a high-severity remote code execution (RCE) vulnerability affecting Craft CMS versions 4 and 5 ^[2] ^[4].

Vulnerability Overview

Nature of Flaw: The vulnerability is a command-injection flaw located within the database-restore workflow of Craft CMS ^[1]. It occurs because an attacker-controlled `backup-path` value can be injected into shell command construction without proper sanitization ^[1].
Exploitation Requirement: Successful exploitation requires that the site's security key has already been compromised ^[2] ^[5].
Impact: If exploited, an attacker can achieve remote code execution on the underlying server ^[2] ^[6].

Exploitation and Threat Landscape

Active Exploitation: The vulnerability has been flagged by CISA as being used in active, real-world attacks ^[4].
Exploit Availability: Proof-of-concept (PoC) scripts have been made available by researchers for security testing purposes ^[1].

Affected Versions and Mitigation

Affected Versions: Craft CMS 4 and 5 ^[2].
Patch Status: The issue was addressed by the maintainers in late December 2024 ^[4].

* Craft 4: Patched in version 4.13.8 ^[3]. * Craft 5: Patched in version 5.5.8 ^[3].

Workaround: If immediate patching is not possible, administrators should rotate their security key and ensure its confidentiality to mitigate the risk ^[3].

Sources

GitHub - farid-khelil/CVE_2025_23209: a poc exploit scripte for...
CVE-2025-23209. For authorized security testing and research environments only.CVE-2025-23209 is a command-injection flaw in Craft CMS' database-restore workflow. In affected versions, an attacker-controlled backup-path value can move from signed request data into shell command construction without…
CVE-2025-23209 Detail - NVD
This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. ... CVE-2025-23209 Detail. Description. Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remo…
CVE-2025-23209 - GitHub Advisory Database
Anyone running an unpatched version of Craft with a compromised security key is affected. Patches This has been patched in Craft 5.5.8 and 4.13.8. Workarounds If you can't update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue. Referenc…
CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active...
The vulnerability in question is CVE-2025-23209 (CVSS score: 8.1), which impacts Craft CMS versions 4 and 5. It was addressed by the project maintainers in late December 2024 in versions 4.13.8 and 5.5.8. "Craft CMS contains a code injection vulnerability that allows for remote code execution as vul…
Potential RCE with a compromised security key - GitHub
This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.
Craft CMS RCE Vulnerability Added to CISA KEV [CVE-2025-23209]
This vulnerability was assigned a CVSS score of 8.1 (high) by NVD, and may allow a threat actor to achieve remote code execution (RCE) if successfully exploited ...