Full Report
Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities - CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP
Analysis Summary
# Vulnerability: Chained Critical Flaws in Craft CMS leading to Remote Code Execution
## CVE Details
- CVE ID: CVE-2024-58136, CVE-2025-32432
- CVSS Score: 9.0 (High) for CVE-2024-58136; 10.0 (Critical) for CVE-2025-32432
- CWE: Not explicitly listed, but involves improper protection of alternate path (CVE-2024-58136) and RCE (CVE-2025-32432).
## Affected Systems
- Products: Craft CMS (utilizing the Yii PHP framework)
- Versions:
- CVE-2025-32432 is patched in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17. All versions predating these patches are vulnerable.
- Configurations: Exploitation requires chaining the two flaws. For CVE-2025-32432, exploiting versions 3.x requires finding a valid asset ID before transformation object creation, whereas versions 4.x and 5.x check the asset ID *after* transformation object creation, requiring the attacker to find a valid asset ID regardless.
## Vulnerability Description
Threat actors are chaining two vulnerabilities to achieve Remote Code Execution (RCE) on Craft CMS servers.
1. **CVE-2024-58136 (CVSS 9.0):** An improper protection of an alternate path flaw in the underlying Yii PHP framework used by Craft CMS, allowing access to restricted functionality or resources (a regression of CVE-2024-4990).
2. **CVE-2025-32432 (CVSS 10.0):** A critical RCE vulnerability within Craft CMS's built-in image transformation feature. An unauthenticated user can send a POST request to the image transformation endpoint (`actions/assets/generate-transform`). The exploit relies on manipulating the POST data interpreted by the server. Attackers must locate a valid asset ID to successfully trigger the RCE payload across different major versions of Craft CMS.
## Exploitation
- Status: Exploited in the wild (Observed since February 14, 2025).
- Complexity: Medium (Requires discovery of a valid asset ID by brute-forcing POST requests before the RCE payload is delivered).
- Attack Vector: Network (Unauthenticated POST requests).
## Impact
- Confidentiality: High (Implied, as RCE allows execution of arbitrary code, potentially leading to data exfiltration).
- Integrity: High (Full server compromise via RCE).
- Availability: High (System disruption or complete takeover).
## Remediation
### Patches
The following versions include patches addressing CVE-2025-32432:
- Craft CMS version 3.9.15
- Craft CMS version 4.14.15
- Craft CMS version 5.6.17
### Workarounds
If patching is immediate, operators should aggressively monitor and block malicious requests. Evidence of probing activity includes suspicious POST requests targeted at the `actions/assets/generate-transform` Craft controller endpoint, especially those containing the string `__class` in the body.
If signs of compromise are found:
1. Refresh security keys.
2. Rotate database credentials.
3. Reset user passwords.
4. Block malicious requests at the network or application firewall layer.
## Detection
- Indicators of Compromise (IoCs): Suspicious POST requests targeting the endpoint `actions/assets/generate-transform`.
- Detection methods and tools: Review web server and firewall logs for the specific POST requests mentioned above, particularly those containing `__class` in the request body. Post-exploitation, look for uploaded or renamed PHP files (e.g., `filemanager.php` or `autoload_classmap.php`) on the web server.
## References
- SensePost investigation: hxxps://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
- Craft CMS Advisory: hxxps://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
- NVD (CVE-2024-58136): hxxps://nvd.nist.gov/vuln/detail/CVE-2024-58136
- NVD (CVE-2025-32432): hxxps://nvd.nist.gov/vuln/detail/CVE-2025-32432