Full Report
Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense. [...]
Analysis Summary
# Vulnerability: Craft CMS RCE Exploit Chain via Yii Framework Flaw
## CVE Details
- CVE ID: CVE-2024-58136 (Yii Framework component) & CVE-2025-32432 (Craft CMS fix)
- CVSS Score: *Not explicitly provided, inferred to be High due to RCE and zero-day use in data theft.*
- CWE: *Not explicitly provided in detail, relates to improper deserialization/code execution.*
## Affected Systems
- Products: Craft CMS, Yii Framework (utilized by Craft CMS)
- Versions:
- Yii Framework versions prior to 2.0.52
- Craft CMS versions prior to those patched on April 10th (specifically 3.9.15, 4.14.15, and 5.6.17)
- Configurations: Any Craft CMS instance utilizing the vulnerable version of the underlying Yii framework.
## Vulnerability Description
This vulnerability is an exploit chain where the initial stage targets a flaw in the Yii framework (CVE-2024-58136), which Craft CMS uses. Attackers send a malicious JSON payload delivered via network traffic. This payload triggers the execution of PHP code stored in the session file on the server. Successful exploitation allows the attacker to gain Remote Code Execution (RCE), followed by post-exploitation steps such as installing a file manager, uploading backdoors, and exfiltrating data. *Note: Craft CMS implemented a fix (CVE-2025-32432) that breaks the exploit chain even though they did not upgrade the included Yii version to the latest.*
## Exploitation
- Status: Exploited in the wild (Zero-day attacks observed leading to data theft).
- Complexity: *Inferred to be Medium/High due to the multi-stage nature (chain).*
- Attack Vector: Network
## Impact
- Confidentiality: High (Data exfiltration observed)
- Integrity: High (Ability to upload backdoors and install file managers)
- Availability: Potential Impact (Server compromise)
## Remediation
### Patches
- **Yii Framework:** Upgrade to **Yii 2.0.52** (Released April 9th).
- **Craft CMS:** Upgrade to versions **3.9.15, 4.14.15, or 5.6.17** (Released April 10th). *These Craft CMS updates specifically mitigate the exploit chain by addressing CVE-2025-32432.*
### Workarounds
If immediate patching is not possible, Craft CMS recommends the following immediate actions:
1. **Refresh Security Key:** Run `php craft setup/security-key` and update the `CRAFT_SECURITY_KEY` environment variable across all environments.
2. **Refresh Other Keys:** Refresh any other sensitive keys stored as environment variables (e.g., S3, Stripe credentials).
3. **Rotate Database Credentials:** Change database passwords/credentials.
4. **Force User Password Reset:** Run `php craft resave/users --set passwordResetRequired --to "fn() => true"` to ensure all users reset their passwords.
## Detection
- **Indicators of Compromise (IoCs):** Refer to the appendix in the linked SensePost report for specific IP addresses and file names used in the attacks.
- **Detection Methods and Tools:** Monitoring for suspicious network traffic containing malicious JSON payloads targeting session handling or file operations, and inspecting the server for unexpected backdoors or file managers.
## References
- Vendor Advisories:
- Craft CMS Advisory (CVE-2025-32432): `craftcms.com/knowledge-base/craft-cms-cve-2025-32432`
- Yii Framework Advisory (CVE-2024-58136): `yiiframework.com/news/709/please-upgrade-to-yii-2-0-52`
- Relevant links:
- SensePost Report Appendix (for IoCs): `sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/#iocs`