Hackers have launched a wave of zero-day attacks exploiting two critical vulnerabilities in Craft CMS, leading to widespread server breaches. Security researchers from Orange Cyberdefense SensePost first spotted the attacks on February 14, 2025, as cybercriminals chained two dangerous flaws to gain unauthorized access.
The vulnerabilities at the center of these attacks are:
- CVE-2024-58136 (CVSS 9.0): A path protection flaw in the Yii PHP framework that Craft CMS relies on. This issue is a regression of a previous flaw, CVE-2024-4990, and allows attackers to access restricted resources.
- CVE-2025-32432 (CVSS 10.0): A remote code execution (RCE) vulnerability in Craft CMS itself, now patched in versions 3.9.15, 4.14.15, and 5.6.17.
According to cybersecurity expert Nicolas Bourras, CVE-2025-32432 stems from an insecure image transformation feature. In vulnerable versions of Craft CMS, unauthenticated users can send a POST request that the server misinterprets, enabling malicious activity.
Interestingly, Craft CMS versions 3.x check asset IDs before creating the transformation object, but versions 4.x and 5.x perform the check afterward. As a result, threat actors can exploit all versions by first locating a valid asset ID. In Craft CMS, asset IDs are unique identifiers assigned to media and document files.
To pull off the attacks, hackers sent numerous POST requests, hoping to stumble upon a valid asset ID. Once they found one, they ran a Python script to confirm the server’s vulnerability and downloaded a PHP file from GitHub to the compromised server.
Security researchers noted that, between February 10 and 11, hackers refined their attack scripts. Initially, they used a file called filemanager.php. By February 12, they had renamed the file to autoload_classmap.php, which they started deploying by February 14.
Thousands of Craft CMS Servers Remain at Risk
By April 18, 2025, researchers identified around 13,000 vulnerable Craft CMS instances worldwide. Alarmingly, nearly 300 servers have likely been compromised already.
Craft CMS issued an urgent advisory to its users. If you notice suspicious POST requests targeting the actions/assets/generate-transform controller endpoint—especially if the payload contains the string __class—your site was at least scanned for this vulnerability. However, a scan does not automatically mean the server was compromised.
Still, if there’s any sign of compromise, experts recommend taking immediate action: rotate your database credentials, refresh all security keys, reset user passwords, and block suspicious POST requests at the firewall.
A Widening Threat Landscape
While Craft CMS battles its vulnerabilities, other software isn’t safe either. A critical zero-day flaw in Active! Mail (CVE-2025-42599, CVSS 9.8) is also under active exploitation. This stack-based buffer overflow bug lets attackers achieve remote code execution or trigger denial-of-service (DoS) attacks. Thankfully, Active! Mail released a patch in version 6.60.06008562.
As cyberattacks surge across the web, organizations must prioritize patching systems, monitoring for suspicious activity, and hardening defenses against evolving threats.
