CISA confirms active exploitation of Craft CMS PHP injection vulnerability. Attackers are scanning the internet for vulnerable sites right now. If you run Craft CMS, you need to patch immediately or implement mitigation measures.
Craft CMS has an active code injection vulnerability. Attackers can run arbitrary PHP on your server. CISA has confirmed active exploitation, and automated scanners are already hunting for vulnerable sites.
What attackers can do:
- Run arbitrary PHP code on your server
- Steal database contents
- Install backdoors for persistent access
- Compromise other sites on the same server
- Use your server as a launchpad for further attacks
Assess your exposure:
- Find all servers running Craft CMS and check their versions
- Review server logs for suspicious activity
- Look for unexpected file changes
- Check for code injections in files
If you can patch immediately: Update to the latest Craft CMS version. Test in staging first.
If patches aren't ready yet:
- Block known attack patterns with a WAF
- Restrict access to the Craft admin interface
- Use IP whitelisting for admin access
- Disable non-essential Craft functionality
Long-term:
- Apply least privilege to server accounts
- Separate web servers from databases
- Consider containerizing your applications
- Create (or update) your incident response plan
Patch now. Automated scanners don't wait.
