Summary: The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a high-severity remote code execution flaw in Craft CMS, tracked as CVE-2025-23209. This vulnerability affects Craft CMS versions 4 and 5, and requires an attacker to already possess the system’s security key for successful exploitation. Users are advised to upgrade to patched versions and regenerate security keys to mitigate risks.
Affected: Craft CMS
Keypoints :
- Vulnerability CVE-2025-23209 is rated with a CVSS v3 score of 8.0.
- Exploitation requires prior access to the Craft CMS security key, complicating attack scenarios.
- Patch is available in Craft CMS versions 5.5.8 and 4.13.8; users urged to upgrade immediately.
- Federal agencies must patch the vulnerability by March 13, 2025, as part of a CISA mandate.
- Recommendations include deleting old keys and generating new ones to safeguard sensitive data.