logo

CVE-2025-23209 - Craft CMS Code Injection Vulnerability

Project:Craft CMS

Product:Craft CMS

Date Added:2025-02-20Due Date:2025-03-13

Vulnerability Name

Craft CMS Code Injection Vulnerability

Description

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x

https://nvd.nist.gov/vuln/detail/CVE-2025-23209

Related News Articles

CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active AttacksFebruary 21, 2025

CISA flags Craft CMS code injection flaw as exploited in attacksFebruary 21, 2025