Ongoing attacks exploit dual Craft CMS bugs to breach servers, steal data

Ongoing attacks exploit dual Craft CMS bugs to breach servers, steal data

Security researchers at Orange Cyberdefense have warned of active exploitation of two zero-day vulnerabilities in Craft CMS, which have been chained together by threat actors in ongoing attacks to breach servers and steal data.

The vulnerabilities—CVE-2025-32432, a remote code execution (RCE) flaw in Craft CMS, and CVE-2024-58136, an input validation issue in the Yii framework used by Craft—were discovered during a forensic investigation by Orange Cyberdefense’s Computer Security Incident Response Team (CSIRT).

According to a technical report by SensePost, Orange Cyberdefense’s ethical hacking unit, attackers leveraged the chain of vulnerabilities to deploy a PHP file manager onto compromised servers, enabling deeper system access and data exfiltration.

The breach begins with exploitation of CVE-2025-32432, which allows attackers to send a specially crafted request containing a malicious ‘return URL’ parameter. This input is stored in a PHP session file, and its name is returned to the client via an HTTP response.

In the second stage, attackers exploited CVE-2024-58136 in the Yii framework. A malicious JSON payload triggers the vulnerable framework to execute the code saved in the PHP session file, leading to arbitrary code execution on the server. This chain ultimately enabled attackers to install a PHP-based file manager, giving them the ability to explore, exfiltrate, or manipulate server data.

The Yii framework vulnerability (CVE-2024-58136) was addressed in Yii 2.0.52, released on April 9th. Craft CMS patched the RCE vulnerability (CVE-2025-32432) the following day in versions 3.9.15, 4.14.15, and 5.6.17.

While Craft CMS has not yet updated to the latest Yii release, Orange Cyberdefense confirms that the patch set in Craft still mitigates the full attack chain.


Back to the list

Latest Posts

RVTools official website compromised to distribute malware-laced installer

RVTools official website compromised to distribute malware-laced installer

The malware in question was the Bumblebee loader used in various high-profile cyberattacks to deploy additional payloads.
20 May 2025
New Linux cryptojacking campaign RedisRaider exploits public Redis servers

New Linux cryptojacking campaign RedisRaider exploits public Redis servers

The campaign uses legitimate Redis configuration commands to inject malicious cron jobs on vulnerable systems.
20 May 2025
China-aligned UnsolicitedBooker hackers target Saudi org with new MarsSnake backdoor

China-aligned UnsolicitedBooker hackers target Saudi org with new MarsSnake backdoor

The group’s toolset includes known Chinese cyber-espionage malware such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT.
20 May 2025