Tech News

CISA flags Craft CMS code injection flaw as exploited in attacks

By admin 2 Min Read

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks.

The flaw is tracked as CVE-2025-23209 and is a high severity (CVSS v3 score: 8.0)  code injection (RCE) vulnerability impacting Craft CMS versions 4 and 5.

Craft CMS is a content management system (CMS) used for building websites and custom digital experiences. 

Not many technical details about CVE-2025-23209 are available, but exploitation isn’t easy, as it requires the installation’s security key to have already been compromised.

In Craft CMS, the security key is a cryptographic key that secures user authentication tokens, session cookies, database values, and sensitive application data.

The CVE-2025-23209 vulnerability only becomes an issue if an attacker has already obtained this security key, which opens the way to decrypt sensitive data, generate fake authentication tokens, or inject and execute malicious code remotely.

CISA has added the flaw to KEV without sharing any information about the scope and origin of the attacks and who the targets are.

Federal agencies have until March 13, 2025, to patch the Craft CMS flaw.

The flaw has been patched in Craft version 5.5.8 and 4.13.8, so users are recommended to upgrade to those releases or later as soon as possible.

If you suspect compromise, it is recommended that you delete old keys contained in ‘.env’ files and generate new ones using php craft setup/security-key command. Note that key changes render any data encrypted with a previous key inaccessible.

Along with CVE-2025-23209, CISA also added a vulnerability in Palo Alto Networks firewalls (CVE-2025-0111) to the Known Exploited Vulnerability catalog, setting the same deadline for March 13.

This is a file read vulnerability impacting PAN-OS firewalls, which the vendor disclosed is exploited by hackers as part of an exploit chain with CVE-2025-0108 and CVE-2024-9474.

For the PAN-OS versions that address this flaw, impacted users can check out Palo Alto Networks’ security bulletin.

You Might Also Like

Apple AI Pin Specs Leak: Dual Cameras, No Screen & More

The diverse responsibilities of a principal software engineer

OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters

Google’s Fitbit Tease has me More Excited for Garmin’s Whoop Rival

Why the TCL NXTPAPER 14 Is One of the Best Tablets for Musicians and Sheet Music Reading

TAGGED: , , , ,
Share This Article
Previous Article Super-sub Earthy scores twice as Bristol City fight back to beat Boro
Next Article Did xAI Manipulate Grok-3 Benchmarks & Reasoning Capabilities?
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

- Advertisement -

Latest News

JPMorgan CEO Jamie Dimon says he’s ‘learned and relearned’ to not make big decisions when he’s tired on Fridays
Business
Apple AI Pin Specs Leak: Dual Cameras, No Screen & More
Tech News
A ‘glass-like’ battlefield: German Army chief on the future of warfare
World News
Polymarket Sees Record $153M Daily Volume After Chainlink Integration
Crypto
Natasha Lyonne Then & Now: See Before & After Photos of the Actress Here
Celebrity
Cult Hit Doki Doki Literature Club Fights Removal From Google Play Store Over ‘Depiction Of Sensitive Themes’
Gaming News
Dead as Disco Launches Into Early Access on May 5th, Groovy New Gameplay Released
Gaming News
Lost your password?