Warning: Critical vulnerability in Grav allows arbitrary command execution, Patch immediately!

• Last update: 2/12/2025
• Affected software: Grav < 1.8.0-beta.27
• Type: Server-Side Template Injection (SSTI) vulnerability
• CVE/CVSS
  → CVE-2025-66294: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Sources

Grab - https://github.com/getgrav/grav

Risks

Exploitation of CVE-2025-66294 could enable a full system compromise and increase the exposure of interconnected devices and data sources. Threat actors are likely to target this vulnerability and may chain it with additional flaws to achieve remote code execution.

CVE-2025-66294 has a high impact on the confidentiality, integrity, and availability of the system.

Description.

CVE-2025-66294 resides in the application’s editor functionality, which can generate a vulnerable form prone to exploitation. If such a form exists, unauthenticated users can exploit it through unsanitized input, leading to command execution. In practice, authenticated users with editor privileges can exploit this flaw to execute arbitrary commands on the server under specific conditions.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.