CVE-2025-54417: 
PHP vulnerability analysis and mitigation

Craft CMS versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209, which was related to potential Remote Code Execution (RCE) with a compromised security key. The vulnerability was discovered on August 8, 2025, and was assigned identifier CVE-2025-54417. The issue affects the Craft CMS platform, which is used for creating digital experiences (NVD, GitHub Advisory).

The vulnerability requires two specific pre-conditions to be exploited: first, having access to a compromised security key, and second, the ability to create an arbitrary file in Craft's /storage/backups folder. When these conditions are met, an attacker could craft a specific malicious request to the /updater/restore-db endpoint to execute CLI commands remotely. The issue was fixed in versions 4.16.3 and 5.8.4 through commit a19d46b, which removed the automated database restoring functionality from web updates (GitHub Commit).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary CLI commands remotely on the affected system. This could potentially lead to unauthorized access, data manipulation, or complete system compromise, particularly in environments where the security key has been compromised (GitHub Advisory).

The vulnerability has been patched in Craft CMS versions 4.16.3 and 5.8.4. Users are strongly advised to upgrade to these or later versions. The fix involves removing the automated database restoring functionality from web updates, effectively preventing the potential exploitation path (GitHub Commit).