Do Son 
Distribution of vulnerable Craft CMS instances by country
The Incident Response Team (CSIRT) at Orange Cyberdefense has uncovered a widespread series of intrusions targeting servers powered by Craft CMS — a popular content management system used for building and administering websites. In the course of investigating the compromise of one particular site, specialists determined that cybercriminals are exploiting a combination of two previously unknown vulnerabilities to infiltrate infrastructures and exfiltrate sensitive information.
The first vulnerability, designated CVE-2025-32432, enables remote code execution. The second flaw, tracked as CVE-2024-58136, resides within the Yii framework underlying Craft CMS and stems from improper input validation.
The ethical hacking division SensePost, a part of Orange Cyberdefense, reconstructed the full attack chain. The attackers sequentially exploit these vulnerabilities to deploy a specialized PHP-based file manager onto the compromised server.
The breach begins with the exploitation of CVE-2025-32432: the adversary crafts a specific request featuring a “return URL” parameter. The submitted data is written into a PHP session file, and its identifier is returned to the user within the HTTP response.
Subsequently, leveraging CVE-2024-58136, the attackers dispatch a malicious JSON payload that triggers the execution of PHP code from the previously created session file. This method allows the intruders to implant the file manager and establish a deeper foothold within the infrastructure.
Once control is secured, the attackers deploy additional backdoors and set up channels for exfiltrating stolen data. A comprehensive description of the attack chain will be detailed in an upcoming publication by the company.
The creators of the affected components acted swiftly to issue patches. The Yii team addressed CVE-2024-58136 in version 2.0.52 released on April 9. The following day, the developers of Craft CMS rolled out updates 3.9.15, 4.14.15, and 5.6.17 to neutralize CVE-2025-32432.
Although Craft CMS by default retained the potentially vulnerable Yii version 2.0.51, Orange Cyberdefense analysts confirm that, following the updates, the discovered attack chain loses its effectiveness, as the flaw in the framework becomes inaccessible for exploitation.
Owners of potentially compromised resources are advised to undertake a comprehensive set of protective measures. A top priority is to regenerate the security key via the command php craft setup/security-key and subsequently synchronize the CRAFT_SECURITY_KEY variable across all production environments.
It is also essential to replace private keys used in environment variables (such as those for S3, Stripe, and other services) and update database access credentials. As an additional precaution, administrators are encouraged to initiate a forced password reset for all users using the command php craft resave/users --set passwordResetRequired --to "fn() => true".
An exhaustive list of indicators of compromise, including network addresses and names of suspicious files, is appended to the SensePost report. Earlier in February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of another critical flaw in Craft CMS versions 4 and 5 — CVE-2025-23209 — which allows for malicious code injection. This succession of incidents underscores the growing interest of cybercriminals in the platform, necessitating heightened vigilance and strict adherence to expert recommendations by administrators.
