- Researchers discovered two critical-severity zero-days in Craft CMS
- Criminals are allegedly chaining them together to gain access
- Some 300 sites already fell victim
Cybercriminals are abusing two zero-day vulnerabilities in the Craft content management system (CMS) to access flawed servers and run malicious code remotely (RCE). This is according to cybersecurity researchers Orange Cyberdefense SenePost, who first saw the bugs being abused in mid-February this year.
The two vulnerabilities are now tracked as CVE-2025-32432, and CVE-2204-58136. The former is a remote code execution bug with the maximum severity score – 10/10 (critical).
The latter is described as an improper protection of alternate path bug in the Yii PHP framework that grants access to restricted functionality or resources. It is a regression of an older bug tracked as CVE-2024-4990, and was given a severity score of 9.0/10 (also critical).
Second increase
“CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transformation and the data within the POST would be interpreted by the server,” the researchers explained.
“In versions 3.x of Craft CMS, the asset ID is checked before the creation of the transformation object whereas in versions 4.x and 5.x, the asset ID is checked after. Thus, for the exploit to function with every version of Craft CMS, the threat actor needs to find a valid asset ID.”
Researchers determined that there were approximately 13,000 vulnerable Craft CMS endpoints. Almost 300 were allegedly already targeted. All users are advised to look for indicators of compromise and, if found, refresh security keys, rotate database credentials, reset user passwords, and block malicious requests at the firewall level.
A patch is now available for the flaws, too. Users should make sure their Craft CMS instances are running versions 3.9.15, 4.14.15, and 5.6.17.
The bugs have not yet been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Via The Hacker News
Leave a comment