Craft CMS RCE Exploit Chain Used in Zero-Day Attacks to Steal Data
Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense. The vulnerabilities were discovered by Orange Cyberdefense's CSIRT, which was called in to investigate a compromised server.
The attack began with the exploitation of CVE-2025-32432, a vulnerability that allows attackers to send a specially crafted request containing a "return URL" as a parameter that is saved in a PHP session file. This session name is sent to the visitor as part of the response to the HTTP request.
The second stage of the attack leveraged a flaw in the Yii framework (CVE-2024-58136), which Craft CMS utilizes. To exploit this flaw, the attacker sent a malicious JSON payload that caused the PHP code in the session file to be executed on the server. This allowed the attacker to install a PHP-based file manager on the server to compromise the system further.
Orange told BleepingComputer that they saw additional compromise steps, including additional uploads of backdoors and data exfiltration. While the Yii developers ultimately fixed the CVE-2024-58136 flaw in version Yii 2.0.52 released on April 9th, Craft CMS also fixed the CVE-2025-32432 flaw in versions 3.9.15, 4.14.15, and 5.6.17 on April 10th.
However, Orange says that the attack chain is still fixed, with "Today, the 2.0.51 (vulnerable) is still by default in Craft. However, with the CVE-2025-32432 fix, the Yii issue cannot be triggerable now."
Potential Impact and Recommendations
Craft CMS recommends that admins perform the following steps if they believe their site has been compromised:
- For full indicators of compromise, including IP addresses and file names, you can view the appendix in SensePost's report.
Other Vulnerabilities Targeted by Attackers
In February, CISA also tagged a code injection (RCE) flaw tracked as CVE-2025-23209 in Craft CMS 4 and 5 as being exploited in attacks. SAP fixes suspected Netweaver zero-day exploited in attacks CISA flags Craft CMS code injection flaw as exploited in attacks Lazarus hackers breach six companies in watering hole attacks Apple fixes two zero-days exploited in targeted iPhone attacks Ivanti Connect Secure zero-days exploited to deploy custom malware