A financially motivated cybercriminal group, identified as Mimo, has been exploiting a critical vulnerability in the Craft Content Management System (CMS) to infiltrate servers and deploy malicious payloads, including cryptocurrency miners and proxyware. This vulnerability, designated as CVE-2025-32432, allows for remote code execution and has been actively targeted since its disclosure.
Understanding CVE-2025-32432
CVE-2025-32432 is a severe security flaw in Craft CMS, affecting versions from 3.0.0-RC1 up to, but not including, 3.9.15; from 4.0.0-RC1 up to, but not including, 4.14.15; and from 5.0.0-RC1 up to, but not including, 5.6.17. This vulnerability enables unauthenticated attackers to execute arbitrary code on affected systems. The issue was first identified by Orange Cyberdefense SensePost in February 2025 and publicly disclosed in April 2025. Craft CMS promptly addressed the flaw by releasing patches in versions 3.9.15, 4.14.15, and 5.6.17.
Mimo’s Exploitation Tactics
According to a report by Sekoia, Mimo has been leveraging CVE-2025-32432 to gain unauthorized access to vulnerable Craft CMS installations. The attack sequence typically unfolds as follows:
1. Initial Access: Mimo exploits the CVE-2025-32432 vulnerability to infiltrate the target system.
2. Web Shell Deployment: Upon gaining access, the attackers deploy a web shell, providing persistent remote control over the compromised server.
3. Payload Delivery: The web shell is used to download and execute a shell script named 4l4md4r.sh from a remote server. This script is retrieved using tools like curl, wget, or Python’s urllib2 library.
4. System Preparation: The shell script performs several preparatory actions:
– Detection and Removal: It checks for signs of previous infections and uninstalls any existing cryptocurrency mining software.
– Process Termination: The script terminates active XMRig processes and other competing mining tools to ensure exclusive use of system resources.
5. Loader Execution: The script then executes an ELF binary named 4l4md4r, also referred to as Mimo Loader.
6. System Modification: Mimo Loader modifies the /etc/ld.so.preload file, a configuration file read by the dynamic linker, to conceal the presence of the malware process (alamdar.so).
7. Final Payload Deployment: The loader installs two primary payloads:
– IPRoyal Proxyware: This software turns the infected machine into a proxy node, allowing the attackers to route malicious traffic through the compromised system.
– XMRig Miner: A cryptocurrency mining application that utilizes the system’s processing power to mine Monero, generating illicit profits for the attackers.
Dual Monetization Strategy
By deploying both a cryptocurrency miner and proxyware, Mimo effectively monetizes the compromised systems through two avenues:
– Cryptojacking: The unauthorized use of a victim’s computing resources to mine cryptocurrency.
– Proxyjacking: The exploitation of the victim’s internet bandwidth by enrolling the system into a proxy network, which can be used for various illicit activities, including anonymizing malicious traffic.
Mimo’s Evolution and Previous Activities
Mimo has been active since at least March 2022, consistently exploiting known vulnerabilities to deploy cryptominers. Their previous campaigns have targeted flaws in:
– Apache Log4j (CVE-2021-44228): A critical vulnerability in the widely used logging library.
– Atlassian Confluence (CVE-2022-26134): A remote code execution flaw in the collaboration platform.
– PaperCut (CVE-2023–27350): A vulnerability in the print management software.
– Apache ActiveMQ (CVE-2023-46604): A flaw in the open-source message broker.
In 2023, Mimo expanded their operations to include ransomware attacks, utilizing a Go-based strain known as Mimus, which is a fork of the open-source MauriCrypt project. This diversification indicates a strategic shift towards maximizing financial gains through multiple attack vectors.
Indicators of Compromise and Detection
Sekoia’s analysis revealed that the exploitation efforts originated from a Turkish IP address (85.106.113[.]168). Additionally, the use of the alias fbi for the urllib2 library in the attack scripts serves as a distinctive coding choice, potentially aiding in detection efforts.
Mitigation and Recommendations
To protect against such exploits, organizations using Craft CMS should:
1. Update Systems Promptly: Ensure that Craft CMS installations are updated to the latest patched versions (3.9.15, 4.14.15, or 5.6.17) to mitigate CVE-2025-32432.
2. Monitor for Suspicious Activity: Regularly review server logs for unusual POST requests to the actions/assets/generate-transform endpoint, especially those containing the string __class in the body, as these may indicate probing attempts.
3. Implement Web Application Firewalls (WAFs): Deploy WAFs to detect and block malicious requests targeting known vulnerabilities.
4. Conduct Regular Security Audits: Perform periodic security assessments to identify and remediate potential vulnerabilities.
5. Educate and Train Staff: Provide cybersecurity training to staff to recognize and respond to potential threats effectively.
Conclusion
The Mimo group’s exploitation of CVE-2025-32432 in Craft CMS underscores the critical importance of timely vulnerability management and proactive security measures. By staying vigilant and implementing robust security practices, organizations can defend against such sophisticated threats and safeguard their digital assets.
