Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access.
The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities –
- CVE-2024-58136 (CVSS score: 9.0) – An improper protection of alternate path flaw in the Yii PHP framework used by Craft CMS that could be exploited to access restricted functionality or resources (A regression of CVE-2024-4990)
- CVE-2025-32432 (CVSS score: 10.0) – A remote code execution (RCE) vulnerability in Craft CMS (Patched in versions 3.9.15, 4.14.15, and 5.6.17)
According to the cybersecurity company, CVE-2025-32432 resides in a built-in image transformation feature that allows site administrators to keep images to a certain format.
“CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transformation and the data within the POST would be interpreted by the server,” security researcher Nicolas Bourras said.
“In versions 3.x of Craft CMS, the asset ID is checked before the creation of the transformation object whereas in versions 4.x and 5.x, the asset ID is checked after. Thus, for the exploit to function with every version of Craft CMS, the threat actor needs to find a valid asset ID.”
The asset ID, in the context of Craft CMS, refers to the way document files and media are managed, with each asset given a unique ID.
The threat actors behind the campaign have been found to run multiple POST requests until a valid asset ID is discovered, after which a Python script is executed to determine if the server is vulnerable, and if so, download a PHP file on the server from a GitHub repository.
“Between the 10th and the 11th of February, the threat actor improved their scripts by testing the download of filemanager.php to the web server multiple times with a Python script,” the researcher said. “The file filemanager.php was renamed to autoload_classmap.php on the 12th of February and was first used on the 14th of February.”
 |
|
Vulnerable Craft CMS Instances by Country |
As of April 18, 2025, an estimated 13,000 vulnerable Craft CMS instances have been identified, out of which nearly 300 have been allegedly compromised.
“If you check your firewall logs or web server logs and find suspicious POST requests to the actions/assets/generate-transform Craft controller endpoint, specifically with the string __class in the body, then your site has at least been scanned for this vulnerability,” Craft CMS said in an advisory. “This is not a confirmation that your site has been compromised; it has only been probed.”
If there is evidence of compromise, users are advised to refresh security keys, rotate database credentials, reset user passwords out of an abundance of caution, and block malicious requests at the firewall level.
The disclosure comes as an Active! Mail zero-day stack-based buffer overflow vulnerability (CVE-2025-42599, CVSS score: 9.8) has come under active exploitation in cyber attacks targeting organizations in Japan to achieve remote code execution. It has been fixed in version 6.60.06008562.
“If a remote third-party sends a crafted request, it may be possible to execute arbitrary code or cause a denial-of-service (DoS),” Qualitia said in a bulletin.
