Craft CMS RCE exploit chain used in zero-day attacks to steal data

Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense. According to a report by SensePost, the ethical hacking team of Orange Cyberdefense, the threat actors chained both of these vulnerabilities together to breach servers and upload a PHP file manager. To exploit this flaw, the attacker sent a malicious JSON payload that caused the PHP code in the session file to be executed on the server. The attack begins with the exploitation of CVE-2025-32432, which allows attackers to send a specially crafted request containing a "return URL" as a parameter that is saved in a PHP session file. In February, CISA also tagged a code injection (RCE) flaw tracked as CVE-2025-23209 in Craft CMS 4 and 5 as being exploited in attacks. Orange told BleepingComputer that they saw additional compromise steps, including additional uploads of backdoors and data exfiltration. While they did not update Yii to the latest version in Craft CMS, Orange says that the attack chain is still fixed. Craft CMS also fixed the CVE-2025-32432 flaw in versions 3.9.15, 4.14.15, and 5.6.17 on April 10th. Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. The vulnerabilities were discovered by Orange Cyberdefense's CSIRT, which was called in to investigate a compromised server. The second stage of the attack leveraged a flaw in the Yii framework (CVE-2024-58136), which Craft CMS utilizes. This allowed the attacker to install a PHP-based file manager on the server to compromise the system further. For full indicators of compromise, including IP addresses and file names, you can view the appendix in SensePost's report. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 25 Apr 2025 19:45:07 +0000

Cyber News related to Craft CMS RCE exploit chain used in zero-day attacks to steal data

How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
7 months ago Aws.amazon.com

Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
1 year ago Darkreading.com CVE-2024-23222

Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
11 months ago Securityaffairs.com CVE-2024-23222 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109

10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
1 year ago Techtarget.com CVE-2023-0669 CVE-2023-34362 CVE-2023-36884 CVE-2023-4863 CVE-2023-41992 CVE-2023-41991 CVE-2023-41993 CVE-2023-22515

Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own - Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year's Pwn2Own Vancouver hacking competition. The company addressed the security flaw on systems running macOS Monterey and macOS ...
11 months ago Bleepingcomputer.com CVE-2024-27834

Critical Craft CMS RCE 0-Day Vulnerability Exploited in Attacks to Steal Data - According to security researchers at CERT Orange Cyberdefense, a critical remote code execution (RCE) vulnerability in Craft CMS is actively being exploited to breach servers and steal data. If a system is believed to be compromised, administrators ...
2 weeks ago Cybersecuritynews.com CVE-2024-58136

Samsung Galaxy S23 hacked two more times at Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada. The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance ...
1 year ago Bleepingcomputer.com

Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi's 13 Pro ...
1 year ago Bleepingcomputer.com

Craft CMS RCE exploit chain used in zero-day attacks to steal data - Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense. According to a report by SensePost, the ethical hacking ...
2 weeks ago Bleepingcomputer.com CVE-2025-32432

At a Glance: The Year in Cybersecurity 2023 - From a surge in zero-day attacks to a need to consolidate security stacks for safety, we've seen some notable challenges, trends, and threats. In this post, we'll take a quick, non-comprehensive look at trends and news from 2023, and see what ...
1 year ago Securityboulevard.com

Cisco discloses new IOS XE zero-day exploited to deploy malware implant - Cisco disclosed a new high-severity zero-day today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week. The company said it found a fix for both vulnerabilities ...
1 year ago Bleepingcomputer.com CVE-2023-20198 CVE-2023-20273 CVE-2021-1435

Apple fixes two new iOS zero-days in emergency updates - Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. "Apple is aware of a report that this issue may ...
1 year ago Bleepingcomputer.com CVE-2023-42916 CVE-2023-42917

Sav-Rx data breach impacted over 2.8 million individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks. Microsoft fixed two zero-day bugs exploited in malware ...
11 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT29 BianLian

North Korean Kimsuky used a new Linux backdoor in recent attacks - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 ...
11 months ago Securityaffairs.com CVE-2022-38028 CVE-2020-3259 CVE-2023-22515 APT28 APT29 BianLian

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
1 year ago Feeds.dzone.com

Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report - To illuminate the evolving digital threat landscape and help the cyber community understand today's most pressing threats, we released our annual Microsoft Digital Defense Report. This year's report focuses on five key topics: cybercrime, ...
2 years ago Csoonline.com POLONIUM

newsletter Round 473 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
11 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-46747 CVE-2023-46748 CVE-2023-22515 APT29 Rocke BianLian

Microsoft fixes Windows zero-day exploited in QakBot malware attacks - Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the ...
11 months ago Bleepingcomputer.com CVE-2024-30051 CVE-2023-36033 RansomEXX Black Basta

Google Chrome Zero-Day Bug Under Attack, Allows Code Injection - Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the ...
1 year ago Darkreading.com CVE-2024-0519 CVE-2024-0517 CVE-2024-0518 Hunters

Apple backports fix for RTKit iOS zero-day to older iPhones - Apple has backported security patches released in March to older iPhones and iPads, fixing an iOS Kernel zero-day tagged as exploited in attacks. The flaw is a memory corruption issue in Apple's RTKit real-time operating system that enables attackers ...
11 months ago Bleepingcomputer.com CVE-2024-23296

Healthcare firm WebTPA data breach impacted 2.5M individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach ...
11 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT29 BianLian

New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
10 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109 Rocke

Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack - MUST READ. Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack. Sweden's liquor supply severely impacted by ransomware attack on logistics company. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors ...
11 months ago Securityaffairs.com CVE-2023-22515 APT29 LockBit

Ivanti Connect Secure zero-days now under mass exploitation - Two zero-day vulnerabilities affecting Ivanti's Connect Secure VPN and Policy Secure network access control appliances are now under mass exploitation. As discovered by threat intelligence company Volexity, which also first spotted the zero-days ...
1 year ago Bleepingcomputer.com CVE-2023-46805 CVE-2024-21887 CVE-2021-22893

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

Craft CMS RCE exploit chain used in zero-day attacks to steal data

Cyber News related to Craft CMS RCE exploit chain used in zero-day attacks to steal data

Latest Cyber News

Cyber Trends (last 7 days)

Trending Cyber News (last 7 days)