Threat actors have been observed to exploit two newly disclosed serious security flaws in the zero-day attack craft CMS to compromise servers and gain unauthorized access.
The attacks first observed by Orange Cyber Defense Sense Post on February 14, 2025 involve chasing the following vulnerabilities –
CVE-2024-58136 (CVSS score: 9.0) – Inappropriate protection of alternative path defects in the YII PHP framework used by the craft CMS that can be used to access restricted features or resources (regression of CVE-2024-4990) CMS (patched with versions 3.9.15, 4.14.15, and 5.6.17)
According to the cybersecurity company, CVE-2025-32432 resides in a built-in image conversion feature that allows site administrators to maintain images in a specific format.
“CVE-2025-32432 relies on the fact that unauthorized users can send POST requests to endpoints responsible for image conversion, and the data in the post is interpreted by the server.”
“In version 3.x of Craft CMS, the asset ID is checked before creating a transform object, but in versions 4.x and 5.x, the asset ID is checked later.
Asset ID refers to the way in which document files and media are managed in the context of a Craft CMS, and each asset is given a unique ID.
It is known that the threat actor behind a campaign will perform multiple post requests until a valid asset ID is detected. A Python script is then run to determine if the server is vulnerable, and if so, download the PHP file from the GitHub repository to the server.
“Between February 10th and 11th, the threat actor improved the script by testing FileManager.php’s download to the web server multiple times in a Python script,” the researchers said. “The file FileManager.php was renamed to Autoload_classmap.php on February 12th and was first used on February 14th.”
Vulnerable Craft CMS Instances by Country
As of April 18, 2025, an estimated 13,000 vulnerable craft CMS instances have been identified, of which nearly 300 have been said to have been compromised.
“If you check your firewall or web server logs and find a suspicious posting request to an action/asset/Generate-Transform Craft Controller endpoint, the site will be scanned at least for this vulnerability, especially using the string__ class in your body,” Craft CMS says in its advice. “This is not a confirmation that your site has been compromised. It’s just been investigated.”
If there is evidence of compromise, it is recommended that users update their security keys, rotate their database credentials, and reset their passwords from a wealth of care.
Disclosure is active! The email zero-day stack-based buffer overflow vulnerability (CVE-2025-42599, CVSS score: 9.8) is subjected to aggressive exploitation in cyberattacks targeting Japanese organizations to achieve remote code execution. Fixed in version 6.60.06008562.
“If a remote third party sends a created request, it may be possible to execute arbitrary code or cause a denial of service (DOS),” Qualitia said in the bulletin.
Source link
