CVE-2025-68454 is a vulnerability classified under CWE-1336, involving improper neutralization of special elements in the Twig template engine used by Craft CMS. The affected versions span from 4.0.0-RC1 to 4.16.16 and 5.0.0-RC1 to 5.8.20. The flaw enables authenticated users to perform Server-Side Template Injection (SSTI) by injecting malicious Twig code into text fields that accept Twig input, such as those found in the Craft Control Panel's Settings or the System Messages utility. The attack vector requires either administrator access with the allowAdminChanges setting enabled—which is discouraged in production environments—or a non-administrator account with access to the System Messages utility. The vulnerability leverages the Twig 'map' filter to craft payloads that execute arbitrary code on the server, leading to Remote Code Execution (RCE). The CVSS v4.0 score is 5.2 (medium), reflecting the need for authentication and specific configuration, but also the high impact on confidentiality, integrity, and availability if exploited. No public exploits have been observed, but the vulnerability poses a significant risk to environments where these conditions are met. Mitigation involves upgrading to patched versions 5.8.21 or 4.16.17, which address the improper neutralization issue in the template engine.

For European organizations using Craft CMS, this vulnerability could lead to severe consequences if exploited. An attacker gaining RCE capabilities can compromise the confidentiality, integrity, and availability of web applications and underlying systems. This could result in data breaches, defacement, unauthorized access to sensitive information, and disruption of services. The requirement for authenticated access and specific configuration settings reduces the likelihood of widespread exploitation but does not eliminate risk, especially in environments where administrative controls are lax or where non-admin users have elevated privileges. Organizations in sectors such as government, finance, healthcare, and e-commerce, which often rely on CMS platforms for digital presence, could face reputational damage, regulatory penalties under GDPR, and operational downtime. The absence of known exploits in the wild provides a window for proactive remediation before attackers develop weaponized payloads targeting this vulnerability.

European organizations should immediately verify their Craft CMS versions and update to 5.8.21 or 4.16.17 to apply the security patches. Additionally, they should audit user roles and permissions to ensure that only trusted administrators have access to the Control Panel and that the allowAdminChanges setting is disabled in production environments. Restrict access to the System Messages utility to minimize the risk posed by non-administrator accounts. Implement strict input validation and sanitization for any fields accepting Twig input, and consider disabling Twig template parsing in user-editable fields if not required. Employ network segmentation and web application firewalls (WAFs) to detect and block suspicious payloads targeting template injection. Regularly monitor logs for unusual activity related to template rendering or administrative actions. Finally, conduct security awareness training for administrators to recognize the risks of enabling unsafe configurations.