New
Craft Cms Zero-day Exploited To Compromise Hundreds Of Vulnerable Servers
- Researchers discovered two critical-severity zero-days in Craft CMS
- Criminals are allegedly chaining them together to gain access
- Some 300 sites already fell victim
Cybercriminals are abusing two zero-day vulnerabilities in the Craft content management system (CMS) to access flawed servers and run malicious code remotely (RCE). This is according to cybersecurity researchers Orange Cyberdefense SenePost, who first saw the bugs being abused in mid-February this year.
The two vulnerabilities are now tracked as CVE-2025-32432, and CVE-2204-58136. The former is a remote code execution bug with the maximum severity score - 10/10 (critical).
The latter is described as an improper protection of alternate path bug in the Yii PHP framework that grants access to restricted functionality or resources. It is a regression of an older bug tracked as CVE-2024-4990, and was given a severity score of 9.0/10 (also critical).
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)View Deal
Second increase
"CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transformation and the data within the POST would be interpreted by the server," the researchers explained.
"In versions 3.x of Craft CMS, the asset ID is checked before the creation of the transformation object whereas in versions 4.x and 5.x, the asset ID is checked after. Thus, for the exploit to function with every version of Craft CMS, the threat actor needs to find a valid asset ID."
Researchers determined that there were approximately 13,000 vulnerable Craft CMS endpoints. Almost 300 were allegedly already targeted. All users are advised to look for indicators of compromise and, if found, refresh security keys, rotate database credentials, reset user passwords, and block malicious requests at the firewall level.
A patch is now available for the flaws, too. Users should make sure their Craft CMS instances are running versions 3.9.15, 4.14.15, and 5.6.17.
The bugs have not yet been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Via The Hacker News
You might also like
- US government warns this popular CMS software has a worrying security flaw
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
