CVE-2025-54417 is a medium-severity vulnerability affecting Craft CMS versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3. The vulnerability is classified under CWE-94, indicating improper control over code generation, specifically a code injection flaw. This vulnerability enables an attacker to bypass a previously known vulnerability (CVE-2025-23209) that allowed remote code execution (RCE) when the security key was compromised. To exploit CVE-2025-54417, an attacker must first have access to a compromised security key and be able to create an arbitrary file within the /storage/backups directory of the Craft CMS installation. With these conditions met, the attacker can send a crafted malicious request to the /updater/restore-db endpoint, which triggers execution of arbitrary CLI commands on the server. This effectively allows remote code execution, potentially leading to full system compromise. The vulnerability does not require user interaction but does require low-level privileges (PR:L) and has a high attack complexity (AC:H), meaning exploitation is not trivial but feasible under the stated conditions. The vulnerability impacts confidentiality, integrity, and availability as attackers can execute arbitrary commands, potentially exfiltrate data, modify content, or disrupt services. The issue has been fixed in versions 4.16.3 and 5.8.4 of Craft CMS. There are no known exploits in the wild at the time of publication, but the presence of a bypass to a prior RCE vulnerability increases the risk profile for systems with compromised keys that have not been updated.

For European organizations using Craft CMS within the affected version ranges, this vulnerability poses a significant risk. Craft CMS is used by businesses and agencies to build and manage digital experiences, including websites and web applications. Exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over web servers, access sensitive data, modify website content, or disrupt services. This could result in data breaches involving personal data protected under GDPR, leading to regulatory fines and reputational damage. Additionally, attackers could use compromised servers as pivot points for further attacks within the organization's network. The requirement for a compromised security key means that organizations with weak key management or prior breaches are at higher risk. Since the vulnerability involves the /updater/restore-db endpoint, automated backup and restore processes could be exploited, potentially undermining disaster recovery mechanisms. The medium CVSS score reflects moderate ease of exploitation but significant potential impact, making timely patching critical to prevent escalation. Given the widespread use of Craft CMS in Europe, especially among SMEs and digital agencies, the threat is material and warrants immediate attention.

1. Immediate upgrade of Craft CMS installations to versions 4.16.3 or 5.8.4 or later to apply the official patch addressing this vulnerability. 2. Conduct a thorough audit of security keys used in Craft CMS projects; regenerate and securely store keys to prevent compromise. 3. Restrict write permissions to the /storage/backups directory to trusted processes only, minimizing the ability of attackers to create arbitrary files. 4. Implement strict access controls and monitoring on the /updater/restore-db endpoint, including IP whitelisting and authentication where possible. 5. Monitor logs for suspicious activity related to backup file creation and restore endpoint access to detect potential exploitation attempts. 6. Employ web application firewalls (WAFs) with custom rules to detect and block malicious requests targeting the restore-db endpoint. 7. Regularly review and harden server and application configurations to reduce attack surface, including disabling unnecessary CLI command execution capabilities. 8. Educate development and operations teams about secure key management and the risks of code injection vulnerabilities. 9. Establish incident response procedures to quickly isolate and remediate compromised systems if exploitation is suspected.