Critical Craft CMS Vulnerabilities Under Active Exploitation: Thousands at Risk
A critical security flaw in Craft CMS is under active exploitation, potentially impacting thousands of servers. Threat actors are chaining together two zero-day vulnerabilities to breach systems and gain unauthorized access, highlighting the urgent need for administrators to apply the latest security patches. This situation demands immediate attention from anyone using Craft CMS.
The vulnerabilities, CVE-2024-58136 and CVE-2025-32432, were first observed in attacks in February 2025. Orange Cyberdefense SensePost identified the exploitation, revealing that attackers are using these flaws to upload malicious PHP file managers and steal data.
CVE-2024-58136, with a CVSS score of 9.0, is an improper protection of an alternate path flaw in the Yii PHP framework used by Craft CMS. This vulnerability can be exploited to bypass restrictions and access resources that should be protected. It's a regression of CVE-2024-4990, further compounding the issue.
CVE-2025-32432, a remote code execution (RCE) vulnerability, carries a critical CVSS score of 10.0. This flaw resides in a built-in image transformation feature, allowing unauthenticated users to send POST requests that the server interprets, potentially leading to arbitrary code execution. According to security researcher Nicolas Bourras, the exploit exploits a weakness in how Craft CMS handles asset IDs during image transformation.
"CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transformation and the data within the POST would be interpreted by the server," Bourras explained.
The attackers are reportedly using Python scripts to identify vulnerable servers by sending multiple POST requests to find valid asset IDs. Once a valid ID is discovered, the script downloads a PHP file (filemanager.php, later renamed to autoload_classmap.php) from a GitHub repository onto the server.
As of April 18, 2025, approximately 13,000 vulnerable Craft CMS instances had been identified, with nearly 300 suspected of being compromised. Craft CMS advises users to check their firewall and web server logs for suspicious POST requests to the actions/assets/generate-transform endpoint, specifically with the string __class in the body.
Craft CMS has released patches for CVE-2025-32432 in versions 3.9.15, 4.14.15, and 5.6.17. While the Yii framework vulnerability was addressed in Yii 2.0.52, Craft CMS has not yet updated to this version, but the implemented fix for CVE-2025-32432 mitigates the exploit chain, according to Orange Cyberdefense.
If you suspect your site has been compromised, Craft CMS recommends the following steps:
- Refresh your security key using
php craft setup/security-key. - Rotate your database credentials.
- Force all users to reset their passwords using
php craft resave/users --set passwordResetRequired --to "fn() => true". - Block malicious requests at the firewall level.
These vulnerabilities pose a significant threat to websites relying on Craft CMS. Are you taking the necessary steps to protect your server? Share your thoughts and mitigation strategies in the comments below.
