Recently, threat actors have exploited two newly discovered critical vulnerabilities within Craft CMS, indicated by experts in the field as part of zero-day attacks aimed at unauthorized server access.
The campaign was first highlighted by Orange Cyberdefense SensePost on February 14, 2025, as attackers started leveraging a combination of significant security flaws. These vulnerabilities include CVE-2024-58136, rated 9.0 on the CVSS scale, which presents an improper protection flaw within the Yii PHP framework that Craft CMS utilizes, allowing unauthorized access to restricted functionalities. This flaw is determined to be a regression of a previous vulnerability, CVE-2024-4990. The second vulnerability, CVE-2025-32432, has earned a perfect 10.0 CVSS score for its remote code execution (RCE) potential and has been patched in its latest versions (3.9.15, 4.14.15, and 5.6.17).
According to cybersecurity evaluations, the RCE vulnerability stems from the CMS’s built-in image transformation feature which site administrators utilize to maintain specific image formats. Researcher Nicolas Bourras elaborated that an unauthenticated user could initiate a POST request directed at the image transformation endpoint, causing the server to misinterpret the data within the request.
Notably, the asset ID verification process in different versions of Craft CMS plays a crucial role in whether the exploit can be effectively executed. In versions 3.x, the asset ID is checked before the transformation object creation, contrasting with the 4.x and 5.x versions, where this verification occurs afterward. This distinction means that to successfully exploit these vulnerabilities in any version of Craft CMS, attackers must identify a valid asset ID.
In practice, attackers have reported conducting multiple POST requests to uncover valid asset IDs, subsequently executing a Python script to verify server vulnerability. Upon discovering a weakness, the script facilitates the download of a PHP file from a GitHub repository onto the targeted server. In a notable series of events, the attackers enhanced their scripts between February 10 and 11, reiterating attempts to download a file named filemanager.php, which was later renamed to autoload_classmap.php before its usage on February 14.
As of April 18, 2025, an alarming 13,000 Craft CMS instances are identified to be vulnerable, with nearly 300 instances reported as compromised. Craft CMS has issued advisories to site owners, cautioning them that suspicious POST requests to the actions/assets/generate-transform controller, especially those containing the string __class, indicate probing for these vulnerabilities. While this does not confirm a compromise, it signals potential susceptibility.
Organizations are urged to review firewall and web server logs for unusual activity associated with the noted vulnerabilities. In instances of confirmed compromises, prompt action is necessary, including refreshing security keys, rotating database credentials, and resetting user passwords to mitigate risks. Furthermore, blocking malicious requests at the firewall level is advised to secure affected environments.
This disclosure arrives alongside reports of another critical zero-day vulnerability impacting Active! Mail, with a CVSS score of 9.8, which is currently being exploited in cyberattacks targeting firms in Japan related to remote code execution. This vulnerability has been addressed in version 6.60.06008562, highlighting an urgent need for proactive security measures.
