In recent months, cybersecurity experts have identified a series of sophisticated attacks targeting Craft CMS, a widely used content management system. These incidents have exploited critical vulnerabilities, leading to unauthorized access and potential control over numerous servers.
Overview of the Vulnerabilities
The primary vulnerabilities exploited in these attacks are:
1. CVE-2024-58136: This flaw, with a CVSS score of 9.0, resides in the Yii PHP framework utilized by Craft CMS. It involves improper protection of alternate paths, allowing attackers to access restricted functionalities or resources. Notably, this is a regression of a previously identified vulnerability, CVE-2024-4990.
2. CVE-2025-32432: Rated at the maximum CVSS score of 10.0, this remote code execution (RCE) vulnerability affects Craft CMS directly. It was patched in versions 3.9.15, 4.14.15, and 5.6.17.
Attack Methodology
The exploitation process, as detailed by Orange Cyberdefense SensePost, involves:
– Targeting the Image Transformation Feature: Craft CMS includes a built-in feature that allows administrators to transform images into specific formats. The vulnerability CVE-2025-32432 is linked to this feature.
– Unauthenticated POST Requests: Attackers send POST requests to the endpoint responsible for image transformation. In versions 4.x and 5.x of Craft CMS, the asset ID is verified after the creation of the transformation object, creating a window for exploitation.
– Asset ID Discovery: Attackers systematically send multiple POST requests to identify valid asset IDs. Once a valid ID is found, they execute a Python script to confirm the server’s vulnerability.
– Payload Deployment: Upon confirming vulnerability, a PHP file is downloaded onto the server from a GitHub repository, granting the attacker unauthorized access.
Scope of the Attacks
As of April 18, 2025, approximately 13,000 Craft CMS instances were identified as vulnerable. Of these, nearly 300 servers have been confirmed as compromised.
Indicators of Compromise
Administrators should be vigilant for suspicious activities, particularly:
– Unusual POST Requests: Logs showing POST requests to the `actions/assets/generate-transform` endpoint, especially those containing the string `__class` in the body, may indicate probing attempts.
Recommended Actions
To mitigate the risks associated with these vulnerabilities, the following steps are advised:
1. Immediate Patching: Update Craft CMS to the latest versions (3.9.15, 4.14.15, or 5.6.17) where these vulnerabilities have been addressed.
2. Security Key Rotation: If compromise is suspected, refresh security keys to prevent unauthorized access.
3. Credential Management: Rotate database credentials and reset user passwords as a precautionary measure.
4. Firewall Configuration: Implement rules to block malicious requests at the firewall level, particularly those targeting known vulnerable endpoints.
Conclusion
The exploitation of these critical vulnerabilities in Craft CMS underscores the importance of proactive cybersecurity measures. Regular updates, vigilant monitoring, and prompt response to potential threats are essential to safeguard digital assets against evolving cyber threats.
