CISA reports actively exploited flaw in Craft CMS
Take action: This is not a panic mode patch - the attacker needs to get the CMS security key to exploit. That means that you should review the security key protection first - through htaccess filters, WAF and locking down of the server. Then patch the CMS, because it's still the smart thing to do.
Learn More
CISA is warning about an actively exploited vulnerability in Craft CMS, a content management system used for building websites and custom digital experiences.
The vulnerability is tracked as CVE-2025-23209 (CVSS score 8.0) and affects both versions 4 and 5 of the platform. The exploitation of this vulnerability is not trivial - it requires that an attacker has already compromised the installation's security key, which is used to secure various sensitive components including user authentication tokens, session cookies, database values, and application data.
Once an attacker has obtained this security key, they can:
- Decrypt sensitive data
- Generate fake authentication tokens
- Execute malicious code remotely through code injection
- Inject and execute arbitrary code on the affected systems
The vulnerability has been patched in Craft CMS versions 5.5.8 and 4.13.8. Federal agencies have been given a deadline of March 13, 2025, to implement the necessary patches.
As a mitigation measure, administrators who suspect compromise should delete old keys in '.env' files and generate new ones using the 'php craft setup/security-key' command. However, it's important to note that changing keys will make any data encrypted with previous keys inaccessible.
