According to security researchers at CERT Orange Cyberdefense, a critical remote code execution (RCE) vulnerability in Craft CMS is actively being exploited to breach servers and steal data. If a system is believed to be compromised, administrators should refresh their security key using php craft setup/security-key, rotate any private keys stored as environment variables, rotate database credentials, and force password resets for all users. The second vulnerability exploits a flaw in the Yii framework (CVE-2024-58136) that Craft CMS utilizes, enabling attackers to execute malicious PHP code on the server. Craft Cloud has configured its global firewall to block malicious requests targeting this exploit, but users are still encouraged to update to the patched versions. The vulnerability was initially reported on April 7, 2025, when Craft CMS received information about a flaw related to the Yii framework, which was fixed in Yii 2.0.52 released on April 9th. For those unable to update, Craft CMS recommends blocking suspicious payloads at the firewall level or installing the Craft CMS Security Patches library as a temporary workaround. This is the second major vulnerability affecting Craft CMS this year, following CVE-2025-23209, which was added to CISA’s Known Exploited Vulnerabilities catalog in February 2025. The first vulnerability (CVE-2025-32432) allows attackers to send specially crafted requests containing a “return URL” parameter that gets saved in a PHP session file. After confirming the vulnerability, Craft CMS released patched versions on April 10th with an application-level fix. Users should check their logs for suspicious POST requests to the “actions/assets/generate-transform” endpoint containing the string “__class” in the body, which indicates potential scanning for this vulnerability. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. According to Orange Cyberdefense, attackers have used this exploit chain to install PHP-based file managers on compromised servers, upload additional backdoors, and exfiltrate sensitive data. By April 17th, evidence emerged of active exploitation in the wild, prompting Craft CMS to email all potentially affected license holders.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 26 Apr 2025 04:10:14 +0000