CVE-2025-6384

CRITICAL

CrafterCMS 4.0.0-4.2.2 - Authenticated Remote Code Execution via Groovy Sandbox Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-6384. PoCs published by maestro-ant, mbadanoiu.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2025-6384, demonstrating an authenticated RCE vulnerability in CrafterCMS via a Groovy sandbox bypass. The exploit leverages the instantiation of a new `GroovyShell` to execute arbitrary commands, including a reverse shell payload.

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Exploits (2)

nomisec WORKING POC

by maestro-ant · poc

https://github.com/maestro-ant/CrafterCMS-CVE-2025-6384

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-6384, demonstrating an authenticated RCE vulnerability in CrafterCMS via a Groovy sandbox bypass. The exploit leverages the instantiation of a new `GroovyShell` to execute arbitrary commands, including a reverse shell payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CrafterCMS (version not specified)

Auth required

Prerequisites: Authenticated access with developer privileges · Docker environment for lab setup

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2025-6384

View Code ZIP pw:eip

This repository provides a writeup for CVE-2025-6384, detailing a Groovy Sandbox Bypass vulnerability in CrafterCMS that allows authenticated developers to execute OS commands. The PoC is described in an external PDF linked in the README.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Crafter CMS (Crafter Studio)

Auth required

Prerequisites: Valid user credentials · Access to Groovy script execution in CrafterCMS

MITRE ATT&CK

T1220 - XSL Script Processing T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://docs.craftercms.org/current/security/advisory.html#cv-2025061901

Scores

CVSS v3 9.1

EPSS 0.0032

EPSS Percentile 55.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-913

Status published

Products (2)

craftercms/craftercms 4.0.0 - 4.3.0

org.craftercms/crafter-studio 4.0.0 - 4.3.0Maven

Published Jun 19, 2025

Tracked Since Feb 18, 2026