CVE-2025-6384

CRITICAL

Craftercms < 4.3.0 - Remote Code Execution

Title source: rule

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Exploits (2)

nomisec WORKING POC

by maestro-ant · poc

https://github.com/maestro-ant/CrafterCMS-CVE-2025-6384

View Code ZIP pw:eip

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2025-6384

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://docs.craftercms.org/current/security/advisory.html#cv-2025061901

Scores

CVSS v3 9.1

EPSS 0.0032

EPSS Percentile 54.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-913

Status published

Products (2)

craftercms/craftercms 4.0.0 - 4.3.0

org.craftercms/crafter-studio 4.0.0 - 4.3.0Maven

Published Jun 19, 2025

Tracked Since Feb 18, 2026