CISA flags Craft CMS code injection flaw as exploited in attacks

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks. The flaw is tracked as CVE-2025-23209 and is a high severity (CVSS v3 score: 8.0) code injection (RCE) vulnerability impacting Craft CMS versions 4 and 5. Craft CMS is a content management system (CMS) used for building websites and custom digital experiences. Not many technical details about CVE-2025-23209 are available, but exploitation isn't easy, as it requires the installation's security key to have already been compromised. In Craft CMS, the security key is a cryptographic key that secures user authentication tokens, session cookies, database values, and sensitive application data. The CVE-2025-23209 vulnerability only becomes an issue if an attacker has already obtained this security key, which opens the way to decrypt sensitive data, generate fake authentication tokens, or inject and execute malicious code remotely. CISA has added ... Read full article.