158/68 Tuesday, April 29, 2025
The CSIRT team at Orange Cyberdefense has reported that attackers exploited two vulnerabilities—one of them a zero-day—in Craft CMS to compromise servers and steal data. The vulnerabilities, which were actively exploited in the wild, were discovered during an incident response investigation involving a compromised client server.
The two flaws include:
- CVE-2025-32432: A Remote Code Execution (RCE) vulnerability in Craft CMS
- CVE-2024-58136: An input validation vulnerability in the Yii framework, which is used by Craft CMS
According to a report from SensePost, the ethical hacking team at Orange Cyberdefense, attackers chained the two vulnerabilities. First, they exploited the RCE flaw by submitting a crafted request containing a manipulated “return URL”, which was written into a PHP session file. They then abused the Yii framework vulnerability by submitting a malicious JSON payload containing embedded PHP code that was executed via the session file. This gave the attacker full control of the server and allowed them to install a PHP-based file manager for persistent access.
Patch Status
- CVE-2025-32432 was patched in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17
- The Yii framework vulnerability was patched in Yii version 2.0.52, released on April 9, 2025
A scan of exposed systems via Onyphe revealed nearly 35,000 instances of Craft CMS online. Using nuclei templates, researchers identified about 13,000 vulnerable instances linked to around 6,300 IP addresses, the majority of which are located in the United States. The team found signs of potential compromise in approximately 300 systems, identified through suspicious file artifacts.
Orange Cyberdefense has released a list of Indicators of Compromise (IoCs) associated with these attacks and urges system administrators to apply patches immediately and inspect their environments for any signs of compromise.
