Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptocurrency Miners and Proxyware

Date: May 28, 2025
Categories: Cryptojacking / Vulnerability

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution vulnerability in the Craft Content Management System (CMS). This flaw has been leveraged to deploy multiple payloads, including a cryptocurrency miner, a loader known as Mimo Loader, and residential proxyware. The vulnerability, identified as CVE-2025-32432, is a high-severity issue in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The security defect was first revealed in April 2025 by Orange Cyberdefense SensePost after it was linked to attacks that occurred earlier in February. According to a recent report from Sekoia, the attackers have weaponized CVE-2025-32432 to gain unauthorized access to targeted systems and deploy a web shell for persistent remote control. This web shell is utilized to download and execute a shell script (“4l4md4r.sh”) from a remote server using tools such as curl, wget, or the Python library urllib2.

Mimo Hackers Target Craft CMS Flaw to Deploy Cryptomining and Proxy Services

On May 28, 2025, cybersecurity analysts reported an alarming trend in which financially motivated hackers have been exploiting a serious vulnerability in the Craft Content Management System (CMS)—designated as CVE-2025-32432. This flaw, which allows for remote code execution, has enabled the attackers to deploy various malicious payloads, including a cryptocurrency miner and residential proxy services, notably using a loader identified as Mimo Loader.

The vulnerability, characterized as a maximum severity risk, was patched in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17. It first came to light in April 2025 during investigations by Orange Cyberdefense’s SensePost team, following its initial exploitation in attacks that were documented earlier in February. In a recent report from Sekoia, cybersecurity experts outlined how these threat actors have effectively weaponized CVE-2025-32432 to gain unauthorized access to the affected systems, subsequently deploying a web shell to facilitate ongoing remote access.

Once the attackers establish this foothold, they utilize the web shell to execute a shell script—specifically named “4l4md4r.sh”—retrieving it from a remote server through common tools like curl, wget, or the Python library urllib2. The consistent use of these methods illustrates the attackers’ strategic approach to maintaining persistence in compromised environments, thereby ensuring their ongoing operations.

Craft CMS has emerged as a significant target for exploitation due to its widespread usage across various sectors, making it an attractive vector for cybercriminals. The United States appears to be one of the primary locations affected, raising concerns among business owners and IT professionals about the risks associated with unpatched software vulnerabilities.

In terms of tactics employed, the Pentagon’s MITRE ATT&CK framework helps elucidate the methods likely leveraged in these attacks. Initial access through the identified vulnerability represents a critical entry point for adversaries, followed by actions focusing on persistence via the web shell installation. Furthermore, privilege escalation techniques might have been employed to solidify the attackers’ control over the compromised systems, allowing further payload deployments.

The implications of these attacks underscore the urgent need for regular software updates and robust cybersecurity practices. Business owners are advised to prioritize patch management, ensuring that their systems are protected against such vulnerabilities, to mitigate the risks posed by organized cyber threats. It is crucial for organizations to remain vigilant and informed about emerging threats to safeguard their digital assets effectively.

As this situation continues to evolve, the cybersecurity community is advised to monitor developments regarding CVE-2025-32432 and related cyber activities. Business leaders and technical teams should engage in proactive strategies to bolster their defenses against such exploits, thereby reducing potential exposure to devastating financial losses and reputational damage.

Source link

Related Posts

Chinese Hackers Leverage Trimble Cityworks Vulnerability to Access U.S. Government Networks

May 22, 2025
Vulnerability / Threat Intelligence

A Chinese-speaking threat actor, identified as UAT-6382, has exploited a recently patched remote-code-execution vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell. According to an analysis by Cisco Talos researchers Asheer Malhotra and Brandon White, “UAT-6382 effectively targeted CVE-2025-0944, conducted reconnaissance, and quickly implemented various web shells and custom malware for sustained access.” Following their infiltration, UAT-6382 showed significant interest in systems related to utility management. Cisco Talos observed these attacks beginning in January 2025, specifically aimed at the enterprise networks of local government entities in the U.S. CVE-2025-0944, with a CVSS score of 8.6, pertains to a vulnerability in the GIS-focused asset management software that could allow for remote code execution. The flaw has been patched.

251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

Microsoft OneDrive File Picker Vulnerability Allows Full Access to Cloud Storage When Uploading a Single File

May 28, 2025
Data Privacy / Vulnerability

Cybersecurity researchers have identified a serious security flaw in Microsoft’s OneDrive File Picker. If exploited, this vulnerability could enable websites to gain access to a user’s entire cloud storage, rather than just the files intended for upload. According to the Oasis Research Team’s report to The Hacker News, the issue arises from overly broad OAuth scopes and unclear consent screens that do not adequately communicate the level of access being granted. This flaw poses significant risks, including potential customer data leaks and violations of compliance regulations. Affected applications may include ChatGPT, Slack, Trello, and ClickUp, all of which integrate with Microsoft’s cloud service. The core of the problem lies in the excessive permissions required by the OneDrive File Picker, which requests read access to the entire drive, even when only a single file is selected for upload, due to a lack of fine-grained permission controls.

Over 100,000 WordPress Sites Vulnerable to Critical CVSS 10.0 Flaw in TI WooCommerce Wishlist Plugin

May 29, 2025 Vulnerability / Website Security

Cybersecurity experts have revealed a severe, unpatched security vulnerability affecting the TI WooCommerce Wishlist plugin for WordPress. This flaw can be exploited by unauthenticated attackers to upload arbitrary files. The TI WooCommerce Wishlist, with over 100,000 active installations, allows e-commerce customers to save their favorite products and share their lists on social media.

According to Patchstack researcher John Castro, “The plugin is susceptible to an arbitrary file upload vulnerability, enabling attackers to upload malicious files to the server without any authentication.” Identified as CVE-2025-47577, this vulnerability has a CVSS score of 10.0 and affects all versions up to and including 2.9.2, released on November 29, 2024. Currently, no patch is available. The website security firm pointed out that the vulnerability is linked to a function called “tinvwl_upload_file_wc_fields_factory,” which utilizes another native WordPress…