- Cisa adds a CMS CMS bug to its Kev catalog
- The bug was found in the CRST CMS 4 and 5 versions
- It allows the execution of the remote code
The Safety Agency for Cybersecurity and Infrastructure of the United States Government (CISA) has added a new bug in CMS 4 and 5 versions of crafts in its known catalog on the exploited vulnerabilities (KEV), which concerns the alarm for abuses in nature.
Vulnerability is a lack of distant code execution (RCE) followed as CVE-2025-23209, but we do not know too many details on this subject, apart from the exploitation of the facts is not so simple.
To abuse bug, a threat player must first have the installation safety key, a cryptographic key that secures things such as user authentication tokens, session cookies, database values, etc.
Decree of sensitive data
Threatening actors having the possession of this bug can decipher sensitive data, generate false authentication tokens or execute malicious remote code.
Being added to Kev means that Cisa has evidence that someone abuses the defect in real attacks. However, the agency has not detailed the attacks, so we do not know who are the actors of the threat or who are the victims. The deadline for correcting the CMS is March 13, 2025. Administrators must look for versions 5.5.8 and 4.13.8.
Suspicious administrators The compromise should delete the old keys contained in the files. They should also take care not to destroy previously encrypted data, as the new key cannot grant it.
Craft CMS is a content management system designed for developers and content creators. The company makes it announce a customizable and intuitive platform with powerful models, a clean configuration panel and robust content modeling.
There are many ways in which cybercriminals can abuse erroneous content management systems. For example, they can redirect visitors to a malicious phishing page, stealing their sensitive data in the process. They can disseminate malicious advertisements or, in more extreme cases, deposit malicious software to their computers.
