Security researchers at CERT Orange Cyberdefense have identified a critical remote code execution (RCE) vulnerability in Craft CMS, actively exploited by attackers to breach servers and exfiltrate data. This vulnerability, designated as CVE-2025-32432 with a maximum CVSS score of 10.0, affects all versions of Craft CMS prior to 3.9.15, 4.14.15, and 5.6.17.
Understanding the Vulnerability
The exploitation involves a sophisticated attack chain combining two vulnerabilities:
1. CVE-2025-32432 in Craft CMS: Attackers send specially crafted requests containing a return URL parameter, which is then saved in a PHP session file.
2. CVE-2024-58136 in the Yii Framework: Craft CMS utilizes the Yii framework, and this flaw allows attackers to execute malicious PHP code on the server.
By leveraging these vulnerabilities, attackers can gain unauthorized access to servers running vulnerable versions of Craft CMS.
Timeline of Events
– April 7, 2025: Craft CMS was informed of a flaw related to the Yii framework.
– April 9, 2025: The Yii framework released version 2.0.52, addressing the identified issue.
– April 10, 2025: Craft CMS released patched versions to implement an application-level fix.
– April 17, 2025: Evidence of active exploitation in the wild emerged, prompting Craft CMS to notify all potentially affected license holders.
Impact of the Exploit
According to Orange Cyberdefense, attackers have utilized this exploit chain to:
– Install PHP-based file managers on compromised servers.
– Upload additional backdoors.
– Exfiltrate sensitive data.
Detection and Mitigation
Administrators should inspect logs for suspicious POST requests to the actions/assets/generate-transform endpoint containing the string __class in the body, indicating potential scanning for this vulnerability.
Recommended Actions:
1. Immediate Update: Upgrade to the patched versions of Craft CMS: 3.9.15, 4.14.15, or 5.6.17.
2. Temporary Workarounds: If immediate updating is not feasible, consider:
– Blocking suspicious payloads at the firewall level.
– Installing the Craft CMS Security Patches library as a temporary measure.
3. Post-Compromise Measures: If a system is suspected to be compromised:
– Refresh the security key using `php craft setup/security-key`.
– Rotate any private keys stored as environment variables.
– Change database credentials.
– Enforce password resets for all users.
Craft Cloud’s Response
Craft Cloud has configured its global firewall to block malicious requests targeting this exploit. However, users are still strongly encouraged to update to the patched versions to ensure comprehensive protection.
Previous Vulnerabilities
This incident marks the second major vulnerability affecting Craft CMS in 2025. Earlier, CVE-2025-23209 was added to CISA’s Known Exploited Vulnerabilities catalog in February 2025.
Conclusion
The discovery and active exploitation of CVE-2025-32432 underscore the critical importance of timely software updates and vigilant monitoring. Organizations using Craft CMS should prioritize implementing the recommended security measures to safeguard their systems and data.
