A high-severity safety flaw impacting the Craft content material administration system (CMS) has been added by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
The vulnerability in query is CVE-2025-23209 (CVSS rating: 8.1), which impacts Craft CMS variations 4 and 5. It was addressed by the challenge maintainers in late December 2024 in variations 4.13.8 and 5.5.8.
“Craft CMS accommodates a code injection vulnerability that enables for distant code execution as susceptible variations have compromised consumer safety keys,” the company stated.
The vulnerability impacts the next model of the software program –
- >= 5.0.0-RC1,
- >= 4.0.0-RC1,
In an advisory released on GitHub, Craft CMS famous that every one unpatched variations of Craft with a compromised safety key are impacted by the safety defect.
“If you cannot replace to a patched model, then rotating your safety key and guaranteeing its privateness will assist to mitigate the difficulty,” it famous.
It is at the moment not clear how the consumer safety keys have been compromised, and in what context. To alleviate the danger posed by the vulnerability, it is beneficial that Federal Civilian Govt Department (FCEB) companies apply the mandatory fixes by March 13, 2025.
Source link