# Attackers Chained Craft CMS Zero-Days Attacks in the Wild

In a shocking turn of events, threat actors have exploited two previously unknown vulnerabilities in the Craft CMS content management system (CMS) to breach servers and steal sensitive data. The Orange Cyberdefense’s CSIRT (Computer Security Incident Response Team) has reported that these attackers took advantage of the flaws to gain unauthorized access to nearly 35,000 instances of Craft CMS.

The two vulnerabilities, tracked as CVE-2025-32432 and CVE-2024-58136, are respectively a remote code execution (RCE) in Craft CMS and an input validation flaw in the Yii framework used by Craft CMS. According to a report published by SensePost, Orange Cyberdefense’s ethical hacking team, the attack began with the exploitation of the flaw CVE-2025-32432 by sending a crafted request with a "return URL" that was saved in a PHP session file.

Threat actors then exploited the vulnerability CVE-2024-58136 in the Yii framework used by Craft CMS. They sent a malicious JSON payload, executing PHP code from the session file. This enabled the installation of a PHP-based file manager, further compromising the server.

The attackers' tactics, techniques, and procedures (TTPs) revealed that they used a combination of exploits to gain access to the servers. The Orange Cyberdefense’s CSIRT reported that nearly 35,000 Craft CMS instances were affected by these attacks, with around 13,000 vulnerable instances identified using the Onyphe asset database.

By applying a nuclei template, researchers identified approximately 6,300 IP addresses associated with these vulnerable instances. Most of them are located in the United States of America. Further analysis found about 300 potentially compromised instances based on specific file patterns.

The investigation revealed that the attackers had successfully exploited both vulnerabilities, resulting in the installation of a PHP-based file manager and subsequent data theft. Both vulnerabilities have been fixed with the release of versions 3.9.15, 4.14.15, and 5.6.17 for Craft CMS, as well as the addressment of CVE-2024-58136 by the development team behind Yii in April.

The Orange Cyberdefense’s CSIRT has released indicators of compromise (IoCs) associated with these attacks, providing valuable information to the security community and organizations running Craft CMS. It is essential for users to stay up-to-date with the latest patches and updates to protect their systems from such threats.

Stay informed about the latest security news and updates by following Orange Cyberdefense on Twitter (@securityaffairs) and Facebook, as well as joining our Mastodon community.

# Conclusion

The recent attacks exploiting Craft CMS zero-days highlight the importance of staying vigilant and up-to-date with the latest security patches. Organizations running Craft CMS must prioritize their security posture to prevent similar breaches in the future. By understanding the tactics used by attackers and the vulnerabilities they exploited, we can work together to strengthen our defenses against cyber threats.