CVE-2025-54417: 
PHP vulnerability analysis and mitigation

Craft CMS versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209, which was originally reported as a potential Remote Code Execution (RCE) vulnerability with a compromised security key. The vulnerability was discovered in August 2025 and has been assigned CVE-2025-54417 (GitHub Advisory).

The vulnerability requires two specific pre-conditions to be exploited: first, having access to a compromised security key, and second, the ability to create an arbitrary file in Craft's /storage/backups folder. When these conditions are met, an attacker could craft a specific malicious request to the /updater/restore-db endpoint to execute CLI commands remotely. The vulnerability has been assigned a CVSS v4.0 score of 5.2 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary CLI commands remotely on the affected system, potentially leading to system compromise and unauthorized access to sensitive data. The impact is particularly severe if an attacker has already obtained the security key (GitHub Advisory).

The vulnerability has been fixed in Craft CMS versions 4.16.3 and 5.8.4. Users are strongly advised to upgrade to these patched versions. The fix involves removing the automated database restoration functionality from web updates, as implemented in commit a19d46b (GitHub Commit).