Full Report
Following the disclosure of the Command Center CVE-2025-34028 vulnerability, researchers are now warning about another critical threat: a max-severity flaw in Craft CMS, tracked as CVE-2025-32432. Attackers are chaining it with a critical input validation bug in the Yii framework (CVE-2025-58136) to power zero-day attacks, leading to server breaches and data theft. By mid-April, around […] The post CVE-2025-32432: Critical Craft CMS Vulnerability Is Actively Exploited in Zero-Day Attacks, Leads to Remote Code Execution appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Critical Craft CMS RCE via Chained Vulnerabilities (CVE-2025-32432)
## CVE Details
- CVE ID: CVE-2025-32432
- CVSS Score: Critical (Implied by description "max-severity flaw")
- CWE: (Not explicitly provided, but related to insecure handling of user-supplied input leading to RCE)
## Affected Systems
- Products: Craft CMS
- Versions: Versions prior to 3.9.15, 4.14.15, and 5.6.17.
- Configurations: Any system running vulnerable versions of Craft CMS. The exploitation chain also relies on the vulnerable Yii framework version that necessitated the fix for CVE-2024-58136.
## Vulnerability Description
CVE-2025-32432 in Craft CMS involves a vulnerability where data within a POST request, specifically the "return URL" parameter, is interpreted insecurely by the server. Threat actors exploit this flaw in a two-stage chain:
1. **Stage 1 (CVE-2025-32432 exploitation):** An attacker crafts a request containing a malicious "return URL." This value is stored in a PHP session file on the server and is subsequently returned to the visitor in the server's HTTP response. This establishes an initial foothold.
2. **Stage 2 (CVE-2024-58136 exploitation):** The attacker leverages a separate vulnerability in the underlying Yii framework (CVE-2024-58136) by sending a malicious JSON payload. This payload executes the PHP code stored in the session file from Stage 1, leading to the upload and installation of a PHP file manager for subsequent system compromise (Remote Code Execution).
## Exploitation
- Status: Actively Exploited in Zero-Day Attacks
- Complexity: Implied to be Low to achieve successful RCE via the specified chain.
- Attack Vector: Network
## Impact
- Confidentiality: High (Likely leads to full system access)
- Integrity: High (Likely leads to full system compromise)
- Availability: High (Potential for system disruption or complete takeover)
## Remediation
### Patches
The following patches address CVE-2025-32432:
- Craft CMS versions **3.9.15** and later.
- Craft CMS versions **4.14.15** and later.
- Craft CMS versions **5.6.17** and later.
**Prerequisite Patch:** The underlying vulnerability exploited in Stage 2 (CVE-2024-58136) in the Yii framework must also be patched. Yii developers addressed this in **Yii 2.0.52**. Users should ensure both Craft CMS and its underlying dependencies are updated.
### Workarounds
None explicitly listed, but immediate patching is critical due to active exploitation.
## Detection
The provided text does not detail specific Indicators of Compromise (IOCs) beyond the attack methodology (POST request with a crafted "return URL" followed by a malicious JSON payload leveraging CVE-2024-58136). Security teams should actively hunt for:
- Anomalous file writes or PHP shell uploads in web application logs.
- Traffic containing suspicious data within HTTP POST requests targeting the "return URL" parameter.
- Exploitation attempts leveraging CVE-2024-58136 when paired with file manipulation.
## References
- Vendor Advisory (CVE-2025-32432 Patch): hxxps://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
- Vendor Advisory (CVE-2024-58136 Patch): hxxps://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52