What is Craft CMS? #
Craft CMS is an open source, easy to use content management system (CMS) for creating and sharing digital content online.
Latest Craft CMS vulnerability: CVE-2025-23209 #
In late January, CraftCMS published a security advisory for a code injection vulnerability that can lead to remote code execution. On February 20, 2025 CISA added CVE-2025-23209 to the known exploited vulnerabilities catalog (KEV).
What is the impact? #
Successful exploitation of the vulnerability requires that a remote attacker already has control of the installation's security key. In this case, the attacker can then inject code using an specially crafted backup directory variable provided by the user.
The affected versions include:
- Versions greater than or equal to 5.0.0-RC1 through 5.5.5 (exclusive)
- Versions greater than or equal to 4.0.0-RC1 through 4.13.8 (exclusive)
Are updates available? #
The vulnerability was patched in 5.5.8 and 4.13.8. Users are strongly encouraged to update their installation as soon as possible. In addition to applying a patch, users might want to rotate their security keys as a safety precaution. Additionally, a best practices write-up is available online with steps on how to harden the security of the installation.
How do I find potentially vulnerable instances with runZero? #
From the Service Inventory, use the following query to locate systems running potentially vulnerable software:
_asset.protocol:http AND protocol:http AND (has:http.head.xPoweredBy AND http.head.xPoweredBy:="Craft CMS")
