US government warns this popular CMS software has a worrying security flaw

News
By
published

CISA adds Craft CMS bug to its KEV catalog

A close-up of an interent search bar with 'http://ww' visible
(Image credit: Getty Images)
  • CISA adds Craft CMS bug to its KEV catalog
  • The bug was found in Craft CMS versions 4 and 5
  • It allows for remote code execution

The US Government's Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug in Craft CMS versions 4 and 5 to its Known Exploited Vulnerabilities (KEV) catalog, ringing the alarm for abuse in the wild.

The vulnerability is a remote code execution (RCE) flaw tracked as CVE-2025-23209, but we don't know too many details about it, other than the fact exploitation is not that straightforward.

To abuse the bug, a threat actor first needs to have the installation security key, a cryptographic key that secures things like user authentication tokens, session cookies, database values, and more.

Decrypting sensitive data

Threat actors with possession of this bug can decrypt sensitive data, generate fake authentication tokens, or run malicious code from a distance.

Being added to KEV means that CISA has evidence someone is abusing the flaw in real-life attacks. However, the agency did not detail the attacks, so we don’t know who the threat actors are, or who the victims are. The deadline to patch the CMS is March 13, 2025. Admins should look for versions 5.5.8 and 4.13.8.

Admins suspecting compromise should delete old keys contained in the '.env' files and generate new ones using php craft setup/security-key command. They should also be careful not to destroy previously encrypted data, since the new key cannot grant access to it.

Craft CMS is a content management system designed for developers and content creators. The company advertises it as a customizable and intuitive platform with powerful templating, clean control panel, and robust content modeling.

There are many ways in which cybercriminals can abuse flawed content management systems. For example, they can redirect the visitors to a malicious phishing page, stealing their sensitive data in the process. They can serve them malicious ads or, in more extreme cases, drop malware to their computers.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
A person holding out their hand with a digital AI symbol.

Norton boosts AI scam protection tools for all users
PayPal

This PayPal scam exploits new address feature to send out phishing scam emails
Claude, ChatGPT, Siri logos side by side

From ChatGPT to NotebookLM, these are the 10 best free AI productivity tools to help you get things done
See more latest