Threat actors are actively exploiting two newly disclosed critical vulnerabilities in Craft CMS to hack servers and gain unauthorized access.
The attacks were first detected by Orange Cyberdefense SensePost on February 14, 2025. They involve chaining two flaws:
- CVE-2024-58136 (CVSS 9.0): An improper protection of alternate paths in the Yii PHP framework used by Craft CMS, allowing attackers to access restricted resources. (A regression of CVE-2024-4990.)
- CVE-2025-32432 (CVSS 10.0): A remote code execution (RCE) flaw in Craft CMS, now patched in versions 3.9.15, 4.14.15, and 5.6.17.
According to researchers, CVE-2025-32432 exists in Craft CMS’s image transformation feature. This tool helps administrators maintain consistent image formats across websites.
Security researcher Nicolas Bourras explained that the vulnerability allows an unauthenticated user to send a specially crafted POST request. The server would then process this data without proper validation. In Craft CMS version 3.x, asset IDs are checked before creating transformation objects. In versions 4.x and 5.x, the ID check happens afterward, making the exploit possible across all major releases — provided the attacker can guess a valid asset ID.
In Craft CMS, asset IDs are unique identifiers assigned to uploaded documents and media files.
Threat actors are repeatedly sending POST requests until they discover a valid asset ID. Once found, they use a Python script to check for vulnerability. If successful, the script downloads a malicious PHP file from a GitHub repository onto the server.
Between February 10 and 11, 2025, attackers enhanced their scripts by automating multiple download attempts of the filemanager.php payload. By February 12, the file was renamed to autoload_classmap.php and first deployed during attacks on February 14.
Over 13,000 Craft CMS Instances at Risk
As of April 18, 2025, about 13,000 Craft CMS installations remain vulnerable. Nearly 300 instances have already been compromised, according to estimates.
Craft CMS has issued a warning:
“If you check your firewall or server logs and find suspicious POST requests to the actions/assets/generate-transform controller endpoint, especially with __class in the request body, your site has been scanned. However, scanning does not mean a successful breach.”
If evidence of compromise exists, users are strongly urged to:
- Refresh security keys
- Rotate database credentials
- Reset all user passwords
- Block malicious POST requests at the firewall level
The warning comes as another zero-day exploit surfaced. A stack-based buffer overflow flaw (CVE-2025-42599, CVSS 9.8) in Active! Mail is under active exploitation in Japan. Attackers are using it to achieve remote code execution. The vulnerability has been patched in version 6.60.06008562.
“If a remote attacker sends a crafted request, arbitrary code execution or a denial-of-service (DoS) could occur,” warned security firm Qualitia.
Organizations are urged to apply security updates immediately and strengthen firewall defenses to prevent further intrusions.
