CVE-2025-68456

CriticalPublic PoC

Published: 05 January 2026

Published

05 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0022 44.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to…

the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly identifies and restricts actions permitted without authentication, preventing unauthenticated users from triggering sensitive database backup operations.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections like rate limiting to counter resource exhaustion from repeated unauthenticated backup requests.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through patching to the fixed Craft CMS versions, fully eliminating the vulnerability.

Security SummaryAI

CVE-2025-68456 is a high-severity vulnerability in Craft CMS, a platform for creating digital experiences. It affects versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, where unauthenticated users can trigger database backup operations via specific admin actions. This flaw, linked to CWE-202 (Observable Discrepancy) and CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), highlighting risks of both confidentiality and availability impacts.

Any unauthenticated attacker with network access can exploit the issue with low complexity and no user interaction. By invoking the vulnerable admin actions, they can initiate database backups, potentially causing resource exhaustion through repeated operations that consume significant CPU, memory, or disk space, or enabling information disclosure if backups expose sensitive data.

Mitigation requires updating to patched versions 5.8.21 or 4.16.17, as detailed in the Craft CMS changelog and security advisory GHSA-v64r-7wg9-23pr. Craft 3 users should upgrade to the latest Craft 4 and 5 releases, which incorporate the fixes. The specific patch is implemented in GitHub commit f83d4e0c6b906743206b4747db4abf8164b8da39.

Details

CWE(s): CWE-202 CWE-770

Affected Products

craftcms

craft cms

5.0.0 · 3.0.0 — 4.16.17 · 5.0.1 — 5.8.21

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of public-facing Craft CMS web application (T1190) enables triggering resource-intensive database backups, facilitating endpoint DoS through repeated application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Product, Release Notes · security-advisories@github.com
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
Patch · security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0