February 28 Advisory: Craft CMS RCE Vulnerability Added to CISA KEV [CVE-2025-23209]
Date of Disclosure (source): January 17, 2025
Date Reported as Actively Exploited (source): February 20, 2025
CVE-2025-23209 is a vulnerability in Craft CMS (Content Management System) 4 and 5, dependent on the prior compromise of the application’s security key. This vulnerability was assigned a CVSS score of 8.1 (high) by NVD, and may allow a threat actor to achieve remote code execution (RCE) if successfully exploited.
Requiring access to the security key raises the barrier to exploitation, but we lack specifics on how keys are being leaked or compromised. In the absence of this information, Craft CMS users should proactively rotate their security keys in addition to applying the patched commit available here on GitHub.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID | CVE-2025-23209 – CVSS 8.1 (high) – assigned by NVD | |||||
| Vulnerability Description | This is a remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. | |||||
| Date of Disclosure | January 17, 2025 | |||||
| Affected Assets | Craft CMS installations where the security key has been previously compromised. | |||||
| Vulnerable Software Versions | Versions 4 and 5 | |||||
| PoC Available? | We did not observe any public exploits available at the time of writing. | |||||
| Exploitation Status | This vulnerability is currently actively exploited and was added to CISA KEV on February 20, 2025 | |||||
| Patch Status | This vulnerability has been patched in Craft CMS 4.13.9 and 5.5.8. If users are unable to update their instances, then rotating your security keys and ensuring their privacy will help mitigate the issue. | |||||
Censys Perspective
At the time of writing, Censys observed 144,333 exposed applications using Craft CMS. A large proportion of these exposed instances (50%) are geolocated in The United States. Note that not all instances observed are vulnerable as we are not able to reliably infer version.
Map of Exposed Applications Using Craft CMS:
services.software.product="Craft CMS" and not labels: {honeypot, tarpit}
host.services.software.product="Craft CMS" and not host.labels: {"honeypot", "tarpit"}
