CVE-2025-23209

What is Craft CMS?

Craft CMS is a popular open-source PHP content management system built on the Yii framework, used by businesses and agencies worldwide for website and web application development. It is deployed as a self-hosted application on LAMP/LEMP stacks and is commonly internet-accessible as a website backend. Craft CMS stores a critical application secret called the "security key" in its .env file — this key is used for signing session tokens, generating CSRF tokens, and protecting sensitive operations.

Overview

CVE-2025-23209 is a code injection vulnerability (CWE-94) in Craft CMS triggered through improper validation of the database backup path. When an attacker has obtained a Craft CMS installation's security key (through prior compromise, misconfiguration, or disclosure), they can use the key to craft malicious session data that results in remote code execution on the web server. The CVSS metrics reflect that exploitation requires both prior knowledge of the security key (AC:H) and a low-privileged Craft account (PR:L).

Affected Versions

Technical Details

The code injection (CWE-94) exploits Craft CMS's database backup path validation. The backup path is processed by Craft's template engine or a file handling function without sufficient sanitization, allowing an attacker to inject PHP code or template directives.

Prerequisite — security key knowledge: The attack requires the attacker to know the Craft installation's SECURITY_KEY from the .env file. Common ways this key is obtained:

• .env file exposed via misconfigured web server (directory traversal, .env accessible via HTTP)
• Prior compromise of the server or source code repository
• Leaked via CI/CD configuration, public GitHub repositories, or backup files

With the security key known, the attacker can forge authenticated Craft sessions and interact with administrative endpoints, including the database backup path functionality.

Relationship to other Craft CMS CVEs: This is one of several Craft CMS code injection vulnerabilities in 2024-2025. CVE-2024-56145 (Dec 2024, register_argc_argv exploitation), CVE-2025-32432 (Yii framework path — both later enriched here), and this CVE represent a sustained pattern of Craft CMS RCE vulnerabilities.

Discovery

Reported to Craft CMS and fixed in January 2025 release.

Exploitation Context

CISA confirmed active exploitation and added to the KEV catalog on February 20, 2025. Organizations where .env files were previously exposed via a separate vulnerability (path traversal, LFI) are at particular risk — an attacker who obtained the security key from a prior disclosure can now use CVE-2025-23209 for RCE without further authentication.

Remediation

1. Upgrade Craft CMS to 4.13.2+ or 5.5.2+ immediately. The CISA deadline was March 13, 2025.
2. Rotate the SECURITY_KEY in your .env file — if the key was ever exposed or may have been exposed, regenerating it invalidates any forged session tokens. Use php craft setup/security-key to regenerate.
3. Protect .env file access — ensure your web server configuration blocks HTTP access to .env and other configuration files. Test with curl https://yoursite.com/.env.
4. Audit web server logs for requests to /admin/utilities/db-backup or similar backup endpoints from unexpected users or IP addresses.
5. Review all Craft CMS versions for the full chain of recent CVEs and apply all patches.