US government warns this popular CMS software has a worrying security flaw

A close-up of an interent search bar with 'http://ww' visible

(Image credit: Getty Images)

CISA adds Craft CMS bug to its KEV catalog
The bug was found in Craft CMS versions 4 and 5
It allows for remote code execution

The US Government's Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug in Craft CMS versions 4 and 5 to its Known Exploited Vulnerabilities (KEV) catalog, ringing the alarm for abuse in the wild.

The vulnerability is a remote code execution (RCE) flaw tracked as CVE-2025-23209, but we don't know too many details about it, other than the fact exploitation is not that straightforward.

To abuse the bug, a threat actor first needs to have the installation security key, a cryptographic key that secures things like user authentication tokens, session cookies, database values, and more.

Decrypting sensitive data

Threat actors with possession of this bug can decrypt sensitive data, generate fake authentication tokens, or run malicious code from a distance.

Being added to KEV means that CISA has evidence someone is abusing the flaw in real-life attacks. However, the agency did not detail the attacks, so we don’t know who the threat actors are, or who the victims are. The deadline to patch the CMS is March 13, 2025. Admins should look for versions 5.5.8 and 4.13.8.

Admins suspecting compromise should delete old keys contained in the '.env' files and generate new ones using php craft setup/security-key command. They should also be careful not to destroy previously encrypted data, since the new key cannot grant access to it.

Craft CMS is a content management system designed for developers and content creators. The company advertises it as a customizable and intuitive platform with powerful templating, clean control panel, and robust content modeling.

There are many ways in which cybercriminals can abuse flawed content management systems. For example, they can redirect the visitors to a malicious phishing page, stealing their sensitive data in the process. They can serve them malicious ads or, in more extreme cases, drop malware to their computers.

The many moving parts of business email compromise
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.