Vulnerability Details CVE-2025-54417
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.9%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2025-54417
-
cpe:2.3:a:craftcms:craft_cms:4.13.10
-
cpe:2.3:a:craftcms:craft_cms:4.13.8
-
cpe:2.3:a:craftcms:craft_cms:4.13.9
-
cpe:2.3:a:craftcms:craft_cms:4.14.0
-
cpe:2.3:a:craftcms:craft_cms:4.14.0.1
-
cpe:2.3:a:craftcms:craft_cms:4.14.0.2
-
cpe:2.3:a:craftcms:craft_cms:4.14.1
-
cpe:2.3:a:craftcms:craft_cms:4.14.10
-
cpe:2.3:a:craftcms:craft_cms:4.14.11
-
cpe:2.3:a:craftcms:craft_cms:4.14.11.1
-
cpe:2.3:a:craftcms:craft_cms:4.14.12
-
cpe:2.3:a:craftcms:craft_cms:4.14.13
-
cpe:2.3:a:craftcms:craft_cms:4.14.14
-
cpe:2.3:a:craftcms:craft_cms:4.14.15
-
cpe:2.3:a:craftcms:craft_cms:4.14.2
-
cpe:2.3:a:craftcms:craft_cms:4.14.3
-
cpe:2.3:a:craftcms:craft_cms:4.14.4
-
cpe:2.3:a:craftcms:craft_cms:4.14.5
-
cpe:2.3:a:craftcms:craft_cms:4.14.6
-
cpe:2.3:a:craftcms:craft_cms:4.14.7
-
cpe:2.3:a:craftcms:craft_cms:4.14.8
-
cpe:2.3:a:craftcms:craft_cms:4.14.8.1
-
cpe:2.3:a:craftcms:craft_cms:4.14.9
-
cpe:2.3:a:craftcms:craft_cms:4.15.0
-
cpe:2.3:a:craftcms:craft_cms:4.15.0.1
-
cpe:2.3:a:craftcms:craft_cms:4.15.0.2
-
cpe:2.3:a:craftcms:craft_cms:4.15.1
-
cpe:2.3:a:craftcms:craft_cms:4.15.2
-
cpe:2.3:a:craftcms:craft_cms:4.15.3
-
cpe:2.3:a:craftcms:craft_cms:4.15.4
-
cpe:2.3:a:craftcms:craft_cms:4.15.5
-
cpe:2.3:a:craftcms:craft_cms:4.15.6
-
cpe:2.3:a:craftcms:craft_cms:4.15.6.1
-
cpe:2.3:a:craftcms:craft_cms:5.5.10
-
cpe:2.3:a:craftcms:craft_cms:5.5.8
-
cpe:2.3:a:craftcms:craft_cms:5.5.9
-
cpe:2.3:a:craftcms:craft_cms:5.6.0
-
cpe:2.3:a:craftcms:craft_cms:5.6.0.1
-
cpe:2.3:a:craftcms:craft_cms:5.6.0.2
-
cpe:2.3:a:craftcms:craft_cms:5.6.1
-
cpe:2.3:a:craftcms:craft_cms:5.6.10
-
cpe:2.3:a:craftcms:craft_cms:5.6.10.1
-
cpe:2.3:a:craftcms:craft_cms:5.6.10.2
-
cpe:2.3:a:craftcms:craft_cms:5.6.11
-
cpe:2.3:a:craftcms:craft_cms:5.6.12
-
cpe:2.3:a:craftcms:craft_cms:5.6.13
-
cpe:2.3:a:craftcms:craft_cms:5.6.14
-
cpe:2.3:a:craftcms:craft_cms:5.6.15
-
cpe:2.3:a:craftcms:craft_cms:5.6.17
-
cpe:2.3:a:craftcms:craft_cms:5.6.2
-
cpe:2.3:a:craftcms:craft_cms:5.6.3
-
cpe:2.3:a:craftcms:craft_cms:5.6.4
-
cpe:2.3:a:craftcms:craft_cms:5.6.5
-
cpe:2.3:a:craftcms:craft_cms:5.6.5.1
-
cpe:2.3:a:craftcms:craft_cms:5.6.6
-
cpe:2.3:a:craftcms:craft_cms:5.6.7
-
cpe:2.3:a:craftcms:craft_cms:5.6.8
-
cpe:2.3:a:craftcms:craft_cms:5.6.9
-
cpe:2.3:a:craftcms:craft_cms:5.6.9.1
-
cpe:2.3:a:craftcms:craft_cms:5.7.0
-
cpe:2.3:a:craftcms:craft_cms:5.7.1
-
cpe:2.3:a:craftcms:craft_cms:5.7.2
-
cpe:2.3:a:craftcms:craft_cms:5.7.3
-
cpe:2.3:a:craftcms:craft_cms:5.7.4
-
cpe:2.3:a:craftcms:craft_cms:5.7.5
-
cpe:2.3:a:craftcms:craft_cms:5.7.6
-
cpe:2.3:a:craftcms:craft_cms:5.7.7
-
cpe:2.3:a:craftcms:craft_cms:5.7.8
-
cpe:2.3:a:craftcms:craft_cms:5.7.8.1
-
cpe:2.3:a:craftcms:craft_cms:5.7.8.2