Summary:
Ongoing attacks leveraging zero-day vulnerabilities have been observed by Orange Cyberdefense's CSIRT targeting Craft CMS, exploiting the two distinct vulnerabilities sequentially to upload a PHP file manager. The initial exploit uses CVE-2025-32432, a remote code execution flaw in Craft CMS itself that carries a critical CVSS score of 10.0. Attackers leverage this by sending a request with a "return URL" that is saved in a PHP session file. Subsequently, they exploit CVE-2024-58136, an input validation vulnerability present in the Yii framework, which Craft CMS utilizes. By sending a malicious JSON payload, attackers can trigger the execution of the PHP code stored in the session file, ultimately leading to the installation of a PHP-based file manager on the server to compromise more of the network. This allows for further malicious activities such as backdoor deployment and data exfiltration. Patches addressing CVE-2024-58136 were released in Yii version 2.0.52 on April 9th, and Craft CMS issued fixes for CVE-2025-32432 in versions 3.9.15, 4.14.15, and 5.6.17 on April 10th. While Craft CMS has not yet updated the Yii framework to the latest version, the implemented fix for the RCE vulnerability effectively breaks the attack chain. Notably, another Craft CMS RCE vulnerability, CVE-2025-23209, was also reported by CISA as being actively exploited earlier this year.

Security Officer Comments:
The coordinated exploitation of these two zero-day vulnerabilities in Craft CMS underscores the complex tactics employed by threat actors. The chaining of an application-level RCE with a framework-level input validation flaw demonstrates a deep understanding of the underlying system architecture, potentially signifying significant resources or time investment. Chaining these two severe vulnerabilities together acts like a double-edged sword. Using both vulnerabilities, an attacker can gain access and privileges that may have not been achievable otherwise. However, due to this same notion, with the Craft CMS vulnerability patched, the adversary has no PHP code in the session file to execute when exploiting CVE-2024-58136. The exploitation of CVE-2025-23209 flagged by CISA in February earlier this year highlights a pattern of targeting Craft CMS, suggesting that organizations using this platform should strengthen security monitoring solutions to detect and respond to any new suspicious activity promptly. The upcoming details on post-exploitation activities from Orange will provide valuable insights into the attackers' objectives and methods following initial compromise.

Suggested Corrections:
CVE-2025-32432 has been fixed in Craft 3.9.15, 4.14.15, and 5.6.17. You should ensure you’re running at least one of these versions.
If you believe your site has been compromised:

• Refresh your security key in case it has already been captured. You can run the php craft setup/security-key command and copy the updated CRAFT_SECURITY_KEY environment variable to all production environments.
• If you have any other private keys stored as environment variables (e.g. S3 or Stripe), refresh those as well.
• Rotate your database credentials.
• Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database is compromised. You can do that by running php craft resave/users --set passwordResetRequired --to "fn() => true"

Link(s):
https://www.bleepingcomputer.com/news/security/craft-cms-rce-exploit-chain-used-in-zero-day-attacks-to-steal-data/

https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/

https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432