- Cisa adds craftsms cms -bug to his KEV catalog
- The error was found in crafts CMS versions 4 and 5
- It allows for the execution of remote code
The US Government’s Cyber Security and Infrastructure Security Agency (CISA) has added a new error in crafts CMS versions 4 and 5 to its known utilized vulnerabilities (KEV) catalog calling the alarm for abuse in nature.
Vulnerability is a remote code performance error (RCE) that is traced as CVE-2025-23209, but we do not know too much details about it, except that the utilization of the fact is not so straightforward.
To abuse the error, a threat actor must first have the installation security key, a cryptographic key that ensures things like user approval tokens, session cookies, database values and more.
Decrypting sensitive data
Threat actors with possession of this error can decrypt sensitive data, generate false approval tokens or run malicious code at a distance.
Being added to Kev means that CISA has proof that someone is abusing the mistake of attack in real life. The agency did not detail the attacks, so we do not know who the threat actors are or who the victims are. The deadline for patching CMS is March 13, 2025. Administrators should look for versions 5.5.8 and 4.13.8.
Administrators who suspect compromise must delete old keys contained in the files ‘. ANV’ and generate new ones using PHP Craft Setup/Security-Key Command. They must also be careful not to destroy previously encrypted data as the new key cannot give them access.
Craft CMS is a content management system designed for developers and content creators. The company announces it as a customizable and intuitive platform with powerful temple, clean control panel and robust content modeling.
There are many ways in which cyber criminals can abuse defective content management systems. For example, they can redirect visitors to a malicious phishing page and steal their sensitive data in the process. They can serve them malicious ads or in more extreme cases drop malware for their computers.
