Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54417

CVE-2025-54417: Craftcms Craft CMS RCE Vulnerability

CVE-2025-54417 is a remote code execution vulnerability in Craftcms Craft CMS affecting versions 4.13.8-4.16.2 and 5.5.8-5.8.3. Attackers can execute CLI commands remotely via the restore-db endpoint with a compromised security key.

Published:

CVE-2025-54417 Overview

Craft CMS contains a remote code execution vulnerability that bypasses the previous fix for CVE-2025-23209. The flaw affects Craft CMS versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3. Attackers with a compromised security key who can place an arbitrary file in Craft's /storage/backups folder can craft a malicious request to the /updater/restore-db endpoint. This request triggers execution of CLI commands on the host running Craft CMS. The issue is classified as code injection [CWE-94] and is fixed in versions 4.16.3 and 5.8.4.

Critical Impact

Authenticated attackers possessing a compromised Craft security key can achieve remote code execution by abusing the database restore endpoint to invoke arbitrary CLI commands.

Affected Products

  • Craft CMS versions 4.13.8 through 4.16.2
  • Craft CMS versions 5.5.8 through 5.8.3
  • Self-hosted Craft CMS deployments exposing the /updater/restore-db endpoint

Discovery Timeline

  • 2025-08-09 - CVE-2025-54417 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-54417

Vulnerability Analysis

The vulnerability is a code injection flaw [CWE-94] in the Craft CMS updater component. It bypasses controls introduced for CVE-2025-23209, which addressed potential RCE through a compromised security key. The /updater/restore-db endpoint processes a request referencing a backup file in the /storage/backups directory. Attackers craft the request so that the restore routine invokes CLI commands rather than performing a legitimate database restore. Successful exploitation grants execution of arbitrary commands in the context of the Craft CMS process.

Root Cause

The root cause is insufficient validation of inputs passed to the database restore command pipeline. Although CVE-2025-23209 introduced controls against security-key-based RCE, the /updater/restore-db path remained reachable in a way that allowed attacker-controlled values to reach the CLI execution layer. The fix in commit a19d46be78a9ca1ea474012a10e97bed0d787f57 tightens input handling and restore logic to prevent command construction from untrusted parameters.

Attack Vector

Exploitation requires two preconditions: a compromised Craft security key and the ability to write an arbitrary file into the /storage/backups directory. Network access to the application is also required, since the request targets a web endpoint. With both preconditions met, the attacker sends a specifically crafted POST to /updater/restore-db, causing the server to execute commands derived from attacker-controlled data. The high attack complexity reflects the chained prerequisites rather than the simplicity of the final HTTP request. Full technical detail is available in the GitHub Security Advisory GHSA-2vcf-qxv3-2mgw.

Detection Methods for CVE-2025-54417

Indicators of Compromise

  • HTTP POST requests to the /updater/restore-db endpoint from non-administrative source addresses
  • Unexpected files appearing in the /storage/backups directory outside of scheduled backup windows
  • Child processes spawned by the PHP-FPM or web server process executing shell commands or Craft CLI actions
  • Outbound network connections originating from the Craft CMS application process to attacker-controlled infrastructure

Detection Strategies

  • Monitor web server access logs for requests to /updater/restore-db and correlate with the authenticated user and source IP
  • Alert on file create events in /storage/backups from non-Craft processes
  • Inspect process telemetry for shell or interpreter children of the web server process tied to restore requests
  • Track use or rotation events of the Craft security key and flag any external exposure

Monitoring Recommendations

  • Enable verbose logging on the Craft updater module and forward logs to a central analytics platform
  • Establish a baseline of legitimate backup and restore operations to surface anomalies
  • Integrate Craft CMS application logs with endpoint process telemetry to correlate HTTP activity with command execution

How to Mitigate CVE-2025-54417

Immediate Actions Required

  • Upgrade Craft CMS to version 4.16.3 or 5.8.4 without delay
  • Rotate the Craft securityKey and any credentials that may have been exposed alongside it
  • Audit the /storage/backups directory for unexpected files and remove untrusted content
  • Restrict access to the /updater/* routes to administrative IP ranges where feasible

Patch Information

The vendor released fixes in Craft CMS 4.16.3 and 5.8.4. The corrective change is published in commit a19d46be78a9ca1ea474012a10e97bed0d787f57. Administrators should review the GitHub Security Advisory GHSA-2vcf-qxv3-2mgw for additional remediation guidance.

Workarounds

  • Block external access to /updater/restore-db at the reverse proxy or web application firewall until patching is complete
  • Enforce strict filesystem permissions on /storage/backups so only the Craft service account can write to it
  • Treat the existing securityKey as compromised if any prior incident or key exposure is suspected, and regenerate it
bash
# Example nginx rule to block the vulnerable endpoint until patched
location = /updater/restore-db {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne