Attackers chained Craft CMS zero-days attacks in the wild

Pierluigi Paganini April 28, 2025

Orange Cyberdefense’s CSIRT reported that threat actors exploited two vulnerabilities in Craft CMS to breach servers and steal data.

Orange Cyberdefense’s CSIRT warns that threat actors chained two Craft CMS vulnerabilities in recent attacks. Orange experts discovered the flaws while investigating a server compromise.

Today Craft announces a RCE vulnerability affecting CMS – known as #CVE-2025-32432. This vulnerability has been reported by Orange Cyberdefense a month ago after our CSIRT investigated a case where two 0-day vulnerabilities have been exploited 1/6https://t.co/ndHdjHFyYj
— CERT Orange Cyberdefense (@CERTCyberdef) April 25, 2025

The two vulnerabilities, tracked as CVE-2025-32432 and CVE-2024-58136, are respectively a remote code execution (RCE) in Craft CMS and an input validation flaw in the Yii framework used by Craft CMS.

.According to a report published by SensePost, Orange Cyberdefense’s ethical hacking team, threat actors exploited the two vulnerabilities to breach servers and upload a PHP file manager. The attack began with the exploitation of the flaw CVE-2025-32432 by sending a crafted request with a “return URL” that was saved in a PHP session file.

Then, attackers exploited the vulnerability CVE-2024-58136 in the Yii framework used by Craft CMS. The attacker sent a malicious JSON payload, executing PHP code from the session file. This enabled the installation of a PHP-based file manager, further compromising the server.

Both vulnerabilities have been fixed; the flaw CVE-2025-32432 has been addressed with the release of versions 3.9.15, 4.14.15, and 5.6.17. The development team behind Yii addressed the issue with the release of Yii 2.0.52 in April. 9th.

The investigation revealed nearly 35,000 Craft CMS instances using the Onyphe asset database. By applying a nuclei template, researchers identified around 13,000 vulnerable instances connected to approximately 6,300 IP addresses, mostly located in the U.S. Further analysis found about 300 potentially compromised instances based on specific file patterns.

“Based on the Onyphe asset database, we were able to identify almost 35K unique FQDN hosting CraftCMS instances.” reads the report published by Orange Cyberdefense’s CSIRT. “We found ~13000 vulnerable instances using our nuclei template. These instances are linked to ~6300 IP addresses. Most of them are located in the United States of America.”

Orange Cyberdefense’s CSIRT released indicators of compromise (IoCs) associated with attacks exploiting the two vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Craft CMS)

Pierluigi Paganini July 24, 2025

Stealth backdoor found in WordPress mu-Plugins folder

Pierluigi Paganini July 24, 2025