In recent developments, two significant vulnerabilities affecting Craft CMS have been exploited in zero-day attacks, resulting in data breaches and ongoing exploitation activities. The vulnerabilities were identified by the Computer Security Incident Response Team (CSIRT) of Orange Cyberdefense during an investigation of a compromised server.
Overview of the Vulnerabilities
The vulnerabilities in question are as follows:
- CVE-2025-32432: This vulnerability is classified as a Remote Code Execution (RCE) flaw within Craft CMS, enabling unauthorized attackers to execute arbitrary code on targeted servers.
- CVE-2024-58136: This marks an input validation weakness in the Yii framework, which Craft CMS relies on for its operation.
Method of Attack
According to a report by SensePost, the ethical hacking division of Orange Cyberdefense, attackers leveraged these two interconnected vulnerabilities to compromise servers and upload malicious payloads, specifically a PHP file manager.
The attack sequence initiates with the exploitation of CVE-2025-32432. In this stage, attackers send a meticulously crafted request that includes a "return URL" parameter, which is then stored as part of a PHP session file. This session name is subsequently relayed back to the victim as part of the HTTP response.
Illustration of the Request Process
Source: SensePost
The attack progresses through the exploitation of CVE-2024-58136. By sending a harmful JSON payload, attackers can manipulate the session file’s PHP code into execution on the server. This step grants the attackers the capability to install a PHP-based file manager, thereby facilitating further system compromises.
Ongoing Compromise Activities
Orange Cyberdefense noted additional malicious activities following the initial breach. These included the upload of backdoors and exfiltration of sensitive data. Further insights into these post-exploitation actions are expected in subsequent reports from their team.
Remedial Measures Taken
The Yii framework developers addressed the CVE-2024-58136 vulnerability in version 2.0.52, which was released on April 9. Following closely on April 10, Craft CMS rectified the CVE-2025-32432 vulnerability through updates to versions 3.9.15, 4.14.15, and 5.6.17. Although Craft CMS has not yet transitioned to the latest Yii version, Orange Cyberdefense confirmed that the critical attack chain has been mitigated.
As a note regarding legacy security practices, it is pertinent to highlight that Craft CMS still defaults to the vulnerable Yii version (2.0.51). Nonetheless, with the fixes implemented for CVE-2025-32432, this specific exploit is no longer feasible.
Recommended Security Measures for Administrators
Craft CMS has outlined several actionable steps for administrators who suspect their site may have been compromised:
- Refresh Security Keys: Immediately update your security key, as it may have been intercepted. Use the command
php craft setup/security-keyand ensure the newCRAFT_SECURITY_KEYis deployed to all production environments. - Update Private Keys: Refresh any other private keys stored as environment variables (e.g., AWS S3 or Stripe API keys).
- Rotate Database Credentials: Change your database access credentials to further secure your systems.
- Enforce User Password Resets: As a precautionary measure, require all users to reset their passwords. This can be executed via the command
php craft resave/users --set passwordResetRequired --to "fn() => true".
For comprehensive information regarding indicators of compromise, including relevant IP addresses and file names, refer to the appendix in SensePost’s detailed report.
Continued Vigilance
In light of these events, it is crucial for organizations using Craft CMS to remain vigilant. In February, the Cybersecurity and Infrastructure Security Agency (CISA) identified another RCE vulnerability (CVE-2025-23209) impacting Craft CMS versions 4 and 5, indicating an ongoing need for robust security measures and regular updates in response to emerging threats.
Staying informed and implementing best practices in cybersecurity is essential for safeguarding sensitive data against evolving threat landscapes.