A vulnerability patched recently in the Craft content management system (CMS) is being exploited in attacks, according to the cybersecurity agency CISA.
The agency added the flaw, tracked as CVE-2025-23209, to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, alongside a Palo Alto Networks firewall vulnerability that has been exploited in the wild.
The Craft CMS has a relatively small market share, but it’s still used by tens of thousands of websites. Netlas has reported seeing over 41,000 instances that are ‘probably’ affected by CVE-2025-23209.
The Craft vulnerability identified as CVE-2025-23209 was patched in mid-January with the release of versions 5.5.8 and 4.13.8. It has been described as a high-severity remote code execution vulnerability that affects Craft installations where the security key has already been compromised.
CISA has added the vulnerability to its KEV catalog and instructed federal agencies to address it by March 13, but there do not appear to be any public reports describing attacks that involve CVE-2025-23209.
On the other hand, a different Craft CMS vulnerability, one tracked as CVE-2024-56145 and which also allows remote code execution, has been confirmed to be exploited by Craft developers.
CVE-2024-56145 was patched in mid-November 2024 and Craft developers warned users about its active exploitation in December 2024. CVE-2024-56145 has yet to be added to CISA’s KEV catalog.
SecurityWeek has reached out to Craft developers for information on the attacks exploiting CVE-2025-23209 and will update this article if they respond.
UPDATE Feb. 23: A Craft representative has not shared any information on the attacks, but pointed out for SecurityWeek, “The vulnerability (fixed in Craft CMS 4.13.8 and 5.5.8) allowed for remote code execution, but required a compromised private security key to exploit. No known vulnerability exists which would allow a threat actor to obtain a private security key.”
Related: New Windows Zero-Day Exploited by Chinese APT
Related: Apple Confirms USB Restricted Mode Exploited in ‘Extremely Sophisticated’ Attack
Related: Russian Hackers Exploited 7-Zip Zero-Day Against Ukraine
