Article Details
Scrape Timestamp (UTC): 2025-04-25 19:53:53.823
Original Article Text
Click to Toggle View
Craft CMS RCE exploit chain used in zero-day attacks to steal data. Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense. The vulnerabilities were discovered by Orange Cyberdefense's CSIRT, which was called in to investigate a compromised server. As part of the investigation, they discovered that two zero-day vulnerabilities impacting Craft CMS were exploited to breach the server: According to a report by SensePost, the ethical hacking team of Orange Cyberdefense, the threat actors chained both of these vulnerabilities together to breach servers and upload a PHP file manager. The attack begins with the exploitation of CVE-2025-32432, which allows attackers to send a specially crafted request containing a "return URL" as a parameter that is saved in a PHP session file. This session name is sent to the visitor as part of the response to the HTTP request. The second stage of the attack leveraged a flaw in the Yii framework (CVE-2024-58136), which Craft CMS utilizes. To exploit this flaw, the attacker sent a malicious JSON payload that caused the PHP code in the session file to be executed on the server. This allowed the attacker to install a PHP-based file manager on the server to compromise the system further. Orange told BleepingComputer that they saw additional compromise steps, including additional uploads of backdoors and data exfiltration. More information about this post-exploitation activity will be detailed in an upcoming blog post. The Yii developers ultimately fixed the CVE-2024-58136 flaw in version Yii 2.0.52 released on April 9th. Craft CMS also fixed the CVE-2025-32432 flaw in versions 3.9.15, 4.14.15, and 5.6.17 on April 10th. While they did not update Yii to the latest version in Craft CMS, Orange says that the attack chain is still fixed. "Today, the 2.0.51 (vulnerable) is still by default in Craft. However, with the CVE-2025-32432 fix, the Yii issue cannot be triggerable now," Orange told BleepingComputer. Craft CMS recommends that admins perform the following steps if they believe their site has been compromised: For full indicators of compromise, including IP addresses and file names, you can view the appendix in SensePost's report. In February, CISA also tagged a code injection (RCE) flaw tracked as CVE-2025-23209 in Craft CMS 4 and 5 as being exploited in attacks.
Daily Brief Summary
Two interconnected zero-day vulnerabilities in Craft CMS were exploited to compromise servers and facilitate data theft.
The first vulnerability exploited (CVE-2025-32432) involved manipulation of a return URL saved in a PHP session file, while the second (CVE-2024-58136) exploited a flaw in the Yii framework to execute malicious PHP code.
Attackers used these vulnerabilities to install a PHP file manager and further infiltrate systems with backdoors and subsequent data exfiltration.
Orange Cyberdefense investigated and identified these vulnerabilities after being alerted to a compromised server.
Yii framework developers and Craft CMS have since released updates to address these vulnerabilities, mitigating the exploitable attack chain.
Despite updates, admins are advised to review possible site compromises and refer to SensePost’s forthcoming detailed report for full indicators of compromise.
Prior to this incident, CISA had identified another code injection vulnerability in Craft CMS (CVE-2025-23209) as actively exploited.