Summary: A critical security vulnerability (CVE-2025-23209) affecting versions 4 and 5 of the Craft content management system (CMS) has been added to CISA’s KEV catalog due to active exploitation. This code injection flaw allows remote code execution due to compromised user security keys. Users are urged to update to patched versions or rotate their security keys to mitigate the risk.
Affected: Craft CMS (versions 4.0.0-RC1 to 4.13.8 and 5.0.0-RC1 to 5.5.5)
Keypoints :
- CVE-2025-23209 has a CVSS score of 8.1 and allows for remote code execution.
- The vulnerability affects all unpatched versions that have compromised user security keys.
- Agencies are recommended to apply necessary fixes by March 13, 2025, to alleviate risks.
Source: https://thehackernews.com/2025/02/cisa-flags-craft-cms-vulnerability-cve.html