Threat actors have been actively exploiting two Craft CMS vulnerabilities, CVE-2025-32432 and CVE-2024-58136, to breach web servers and gain unauthorized access. Review the details in this Cybersecurity Threat Advisory to safeguard your devices.
What is the threat?
Threat actors are exploiting two critical security flaws in Craft CMS in zero-day attacks. These attacks involve chaining two vulnerabilities in Craft CMS and its underlying Yii PHP framework. CVE-2025-32432 has a CVSS score of 10.0 is a remote code execution (RCE) vulnerability in Craft CMS. CVE-2024-58136 with a CVSS score of 9.0 is an improper protection of alternate path flaw in the Yii PHP framework used by Craft CMS that could be exploited to access restricted functionality or resources.
To-date, over 300 servers worldwide has been compromised, with approximately 13,000 instances remain vulnerable. It is crucial for all Craft CMS users running vulnerable versions to take immediate action to patch their installations and implement the recommended security measures to prevent potential exploitation.
Why is it noteworthy?
CVE-2024-58136 affects the Yii PHP framework used by Craft CMS. It arises from improper handling of behaviors defined by an __class array key, allowing attackers to access restricted functionality or resources. A successful exploitation can lead to unauthorized access to restricted areas of the application, potentially leading to privilege escalation or data exposure.
CVE-2025-32432 resides in Craft CMS’s image transformation feature. It allows unauthenticated attackers to send specially crafted POST requests to the actions/assets/generate-transform endpoint. Due to improper validation, the server interprets the data within the POST request, leading to RCE.
What is the exposure or risk?
When exploited together, these vulnerabilities enable unauthenticated remote attackers to execute arbitrary code on affected servers, which can lead to complete system compromise. Upon gaining unauthorized access to the Craft CMS backend, attackers can modify website content, user accounts, and configurations. Attackers can access and exfiltrate sensitive data stored within the Craft CMS database or on the server’s file system. Threat actors often install backdoors to maintain persistent access to compromised servers, even after organizations patch the initial vulnerability. Attackers could deface websites or cause service disruptions.
What are the recommendations?
Barracuda recommends the following actions to secure your devices:
- Upgrade Craft CMS to 3.9.15 or later, 4.14.15 or later, and 5.6.17 or later.
- Upgrade Yii PHP framework to version 2.0.52 or later.
- Refresh Craft CMS security key, and rotate database credentials and any other private keys stored as environment variables, and consider forcing all users to reset their passwords.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.