Ongoing attacks leveraging the recently-patched high-severity code injection flaw in the Craft content management system have prompted its inclusion in the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog, with federal agencies urged to remediate the issue by Mar. 13, The Hacker News reports.
Threat actors could abuse the bug — which affects several Craft CMS 4 and 5 versions with compromised user security keys — to facilitate remote code execution, according to an advisory from CISA.
On the other hand, organizations with vulnerable Craft CMS instances that could not apply the updated software iteration were urged by the company to rotate their security keys and implement additional privacy measures to avert potential compromise.
