Full Report
A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution flaw affecting the Craft Content Management System (CMS) to deploy multiple payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware. The vulnerability in question is CVE-2025-32432, a maximum severity flaw in Craft CMS that was patched in
Analysis Summary
# Vulnerability: Remote Code Execution in Craft CMS Weaponized for Cryptojacking
## CVE Details
- CVE ID: CVE-2025-32432
- CVSS Score: N/A (Maximum severity flaw implied)
- CWE: N/A
## Affected Systems
- Products: Craft Content Management System (CMS)
- Versions: Versions prior to 3.9.15, 4.14.15, and 5.6.17.
- Configurations: N/A
## Vulnerability Description
CVE-2025-32432 is a critical Remote Code Execution (RCE) flaw in Craft CMS. Threat actors are exploiting this vulnerability to gain unauthorized access to target systems, deploy a web shell for persistent remote access, and subsequently download and execute malicious shell scripts. These scripts are designed to install a multi-stage payload resulting in cryptojacking and proxyware distribution.
## Exploitation
- Status: Exploited in the wild (Observed campaign attributed to threat actor Mimo)
- Complexity: Not explicitly stated, but successful deployment of multi-stage payloads suggests functional exploitation is in use.
- Attack Vector: Network (Implied, RCE vulnerabilities are typically exploitable remotely)
## Impact
- Confidentiality: High (Unauthorized access and persistence mechanisms suggest potential data access)
- Integrity: High (Installation of arbitrary payloads, web shells, and modification of system files like `/etc/ld.so.preload`)
- Availability: High (Resource exhaustion from cryptominer and system modification/stability impacts)
## Remediation
### Patches
The vendor has released patches for this vulnerability:
- Craft CMS version 3.9.15 and later.
- Craft CMS version 4.14.15 and later.
- Craft CMS version 5.6.17 and later.
### Workarounds
- No specific workarounds are detailed in the provided text, though immediate patching is the priority. Firewalling or access restriction to the affected application server should be considered if patching is delayed.
## Detection
- **Indicators of Compromise (IOCs):**
- Presence of files named "4l4md4r.sh" or executables named "4l4md4r".
- Processes related to XMRig or other cryptocurrency miners executing on the system.
- Presence of a shared library named "alamdar.so" loaded via `/etc/ld.so.preload`.
- The use of the Python `urllib2` library imported specifically with the alias `fbi` in suspicious scripts.
- **Detection Methods and Tools:**
- Monitoring outbound network connections originating from the web server to common mining pool infrastructure or C2 servers.
- File integrity monitoring (FIM) alerts for modifications to `/etc/ld.so.preload`.
- Endpoint Detection and Response (EDR) tools capable of detecting suspicious process injection or dynamic linker modifications.
## References
- Vendor Advisories: Disclosure occurred in April 2025, with patches released concurrently for affected versions.
- Relevant Links:
- Report on initial disclosure/patch: hxxps://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html
- Sekoia analysis of Mimo campaign: hxxps://blog.sekoia.io/the-sharp-taste-of-mimolette-analyzing-mimos-latest-campaign-targeting-craft-cms/