Critical Craft CMS RCE 0-Day Vulnerability Exploited in Attacks to Steal Data

Critical Craft CMS RCE 0-Day Vulnerability Exploited in Attacks to Steal Data

According to security researchers at CERT Orange Cyberdefense, a critical remote code execution (RCE) vulnerability in Craft CMS is actively being exploited to breach servers and steal data.

The vulnerability, tracked as CVE-2025-32432 and assigned a maximum CVSS score of 10.0, affects all versions of Craft CMS prior to 3.9.15, 4.14.15, and 5.6.17.

CMS RCE 0-Day Vulnerability

Security researchers discovered attackers are chaining two vulnerabilities in sophisticated zero-day attacks. The first vulnerability (CVE-2025-32432) allows attackers to send specially crafted requests containing a “return URL” parameter that gets saved in a PHP session file.

Google News

The second vulnerability exploits a flaw in the Yii framework (CVE-2024-58136) that Craft CMS utilizes, enabling attackers to execute malicious PHP code on the server.

The vulnerability was initially reported on April 7, 2025, when Craft CMS received information about a flaw related to the Yii framework, which was fixed in Yii 2.0.52 released on April 9th.

After confirming the vulnerability, Craft CMS released patched versions on April 10th with an application-level fix. By April 17th, evidence emerged of active exploitation in the wild, prompting Craft CMS to email all potentially affected license holders.

According to Orange Cyberdefense, attackers have used this exploit chain to install PHP-based file managers on compromised servers, upload additional backdoors, and exfiltrate sensitive data.

Users should check their logs for suspicious POST requests to the “actions/assets/generate-transform” endpoint containing the string “__class” in the body, which indicates potential scanning for this vulnerability.

To mitigate the risk, users should immediately update to the patched versions. For those unable to update, Craft CMS recommends blocking suspicious payloads at the firewall level or installing the Craft CMS Security Patches library as a temporary workaround.

If a system is believed to be compromised, administrators should refresh their security key using php craft setup/security-key, rotate any private keys stored as environment variables, rotate database credentials, and force password resets for all users.

Craft Cloud has configured its global firewall to block malicious requests targeting this exploit, but users are still encouraged to update to the patched versions.

This is the second major vulnerability affecting Craft CMS this year, following CVE-2025-23209, which was added to CISA’s Known Exploited Vulnerabilities catalog in February 2025.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.



Source link