What vulnerabilities were discovered in Craft CMS?

Orange Cyberdefense's CSIRT team uncovered two critical vulnerabilities: CVE-2025-32432 (CVSS score 10.0), a remote code execution vulnerability affecting all Craft CMS versions prior to 3.9.15, 4.14.15, and 5.6.17, and CVE-2024-58136 (CVSS score 9), an input validation flaw in the Yii framework utilized by Craft CMS.

How do attackers exploit these Craft CMS vulnerabilities?

Attackers use a multi-stage approach: 1) They exploit CVE-2025-32432 to identify valid asset IDs by sending multiple POST requests to the /index.php?p=admin/actions/assets/generate-transform endpoint. 2) After finding a valid asset ID, they verify server vulnerability by attempting to execute the PHP phpinfo() function. 3) They send a crafted request with injected PHP code as a parameter to an admin page, causing Craft CMS to store this code in a PHP session file. 4) Finally, they trigger the execution of this PHP code by exploiting the Yii framework vulnerability (CVE-2024-58136), allowing them to download a file manager directly to the web server.

Which versions of Craft CMS are affected by these vulnerabilities?

All Craft CMS versions are affected prior to: 3.9.15, 4.14.15, and 5.6.17.

What should Craft CMS users do to protect their systems?

Craft CMS has released patches for all affected versions. Users should update their Craft CMS immediately. If you suspect your system has been compromised, administrators should: 1) Refresh your security key using 'php craft setup/security-key', 2) Rotate any private keys stored as environment variables (e.g., S3 or Stripe), 3) Rotate database credentials, 4) Force password resets for all users with 'php craft resave/users --set passwordResetRequired --to "fn() => true"'.

What are the indicators of compromise for these Craft CMS vulnerabilities?

Look for these indicators of compromise: Suspicious POST requests to 'actions/assets/generate-transform' containing '__class' in the body, presence of files like filemanager.php, autoload_classmap.php, wp-22.php, or style.php at the web root, and connections from known malicious IP addresses (103.106.66[.]123, 172.86.113[.]137, 104.161.32[.]11, 154.211.22[.]213, 38.145.208[.]231).

Who discovered these Craft CMS vulnerabilities?

Orange Cyberdefense's CSIRT team uncovered the sophisticated attack chain targeting Craft CMS installations. Their investigation followed the compromise of a server hosting a website built with Craft CMS version 4.12.8.

Attack

Craft CMS zero-Day vulnerabilities actively exploited

Q: What actions do attackers take after gaining access to a Craft CMS system?

Once attackers gain access, they deploy a PHP file manager (filemanager.php), rename it to avoid detection, upload additional backdoors and malicious PHP files, and exfiltrate sensitive data from compromised servers.

published: April 26, 2025

Take action: Update all your Craft CMS installations to the patched versions (3.9.15, 4.14.15, or 5.6.17) immediately. If you can't follow the mitigation measures, although they are not really a long term fix. Review the advisory for the indicators of compromise to check your server. You can't ignore this patch, your server is exposed on the internet by design.

Learn More

Orange Cyberdefense's CSIRT team has uncovered a sophisticated attack chain targeting Craft CMS installations, involving two critical vulnerabilities that allowed attackers to gain remote code execution capabilities on vulnerable servers. The investigation followed the compromise of a server hosting a website built with Craft CMS version 4.12.8.

Vulnerabilities summary

CVE-2025-32432 (CVSS score 10.0): A remote code execution vulnerability in Craft CMS affecting all versions prior to 3.9.15, 4.14.15, and 5.6.17.
CVE-2024-58136 (CVSS score 9): An input validation flaw in the Yii framework utilized by Craft CMS.

The attackers exploiting these flaws employ a multi-stage approach:

First, they exploit CVE-2025-32432 to identify valid asset IDs by sending multiple POST requests to the /index.php?p=admin/actions/assets/generate-transform endpoint.
After finding a valid asset ID, they verify server vulnerability by attempting to execute the PHP phpinfo() function.
They then send a crafted request with injected PHP code as a parameter to an admin page, causing Craft CMS to store this code in a PHP session file.
Finally, they trigger the execution of this PHP code by exploiting the Yii framework vulnerability (CVE-2024-58136), allowing them to download a file manager directly to the web server.

Once the attackers gain access, they deploy a PHP file manager (filemanager.php), rename it to avoid detection, upload additional backdoors and malicious PHP files and exfiltrate sensitive data from compromised servers.

All Craft CMS versions are affected prior to:

3.9.15
4.14.15
5.6.17

Craft CMS has released patches for all affected versions. Users should update their Craft CMS immediately. If you suspect your system has been compromised, administrators should:

Refresh your security key using php craft setup/security-key
Rotate any private keys stored as environment variables (e.g., S3 or Stripe)
Rotate database credentials
Force password resets for all users with php craft resave/users --set passwordResetRequired --to "fn() => true"

Look for these indicators of compromise:

Suspicious POST requests to actions/assets/generate-transform containing __class in the body
Presence of files like filemanager.php, autoload_classmap.php, wp-22.php, or style.php at the web root
Connections from known malicious IP addresses (103.106.66[.]123, 172.86.113[.]137, 104.161.32[.]11, 154.211.22[.]213, 38.145.208[.]231)

Orange Cyberdefense identified approximately 13,000 vulnerable Craft CMS instances globally, with roughly 300 showing signs of compromise. The majority of affected instances are located in the United States.

Craft CMS zero-Day vulnerabilities actively exploited

Read More
SessionReaper flaw in Adobe Magento actively exploited
GlassWorm supply chain attack: Self-Propagating malware infects Visual …
CISA warns of active exploit targeting old Apache …
Massive ransomware attack targets 22K CyberPanel instances
CISA Reports Active Exploitation of VMware Aria Operations