Critical Craft CMS Vulnerabilities Exploited in Zero-Day Attacks: What You Must Know

Threat actors are exploiting two newly disclosed critical vulnerabilities in Craft CMS, leading to unauthorized access to servers and widespread breaches. These attacks, first detected by Orange Cyberdefense SensePost on February 14, 2025, highlight the urgent need for immediate action by website administrators and developers.

Both vulnerabilities — CVE-2024-58136 and CVE-2025-32432 — are highly dangerous, with CVSS scores of 9.0 and 10.0 respectively. CVE-2024-58136 relates to improper alternate path protection in the Yii PHP framework, while CVE-2025-32432 involves a remote code execution flaw through the CMS’s image transformation feature.

By chaining these vulnerabilities, attackers can execute Python scripts to probe for valid asset IDs within the CMS. Once a valid ID is found, malicious PHP files are uploaded, enabling full server compromise. Notably, by April 18, 2025, over 13,000 Craft CMS instances remained vulnerable, with nearly 300 confirmed breaches.

Administrators are urged to patch their systems to Craft CMS versions 3.9.15, 4.14.15, or 5.6.17 immediately. Evidence of scanning can be found in firewall or server logs showing suspicious POST requests containing the string __class. If compromise is suspected, urgent steps include rotating database credentials, resetting user passwords, refreshing security keys, and blocking malicious traffic.

In parallel, another major zero-day vulnerability (CVE-2025-42599) affecting Active! Mail in Japan is also under attack, emphasizing the heightened global cyber risk.

What Undercode Say: Deep Analysis on the Craft CMS Vulnerabilities

The current wave of attacks against Craft CMS illustrates a recurring trend in cybersecurity — supply chain vulnerabilities and platform misconfigurations are prime targets for threat actors. Both CVE-2024-58136 and CVE-2025-32432 highlight fundamental flaws that could have been mitigated with stricter security practices around input validation and endpoint exposure.

Undercode emphasizes that the core issue with CVE-2025-32432 stems from how asset IDs are validated during the image transformation process. In versions 4.x and 5.x of Craft CMS, the check for a valid asset ID is deferred until after the creation of the transformation object, providing a critical window for exploitation. This deviation from the safer flow seen in 3.x versions created a significant vulnerability surface.

The methodical approach attackers are using — sending multiple POST requests to discover valid asset IDs — shows a concerning level of automation and resourcefulness. It’s clear that cybercriminals are evolving, combining old-school vulnerability probing techniques with modern, adaptive scripts.

The use of GitHub as a repository for malicious payloads is another noteworthy element. This strategy blurs the lines between legitimate development platforms and attack infrastructures, complicating detection efforts.

From a broader perspective, the fact that 13,000 instances remain vulnerable months after the patches were released underlines a critical failure in patch management practices across organizations. It is vital for enterprises to develop automated, continuous patching and security validation pipelines, especially for core CMS platforms that manage sensitive assets.

Administrators should also pay closer attention to firewall and application logs. Early detection of probing attempts — such as POST requests containing the __class keyword — can provide valuable lead time to prevent breaches before full exploitation occurs.

The Craft CMS advisory clearly differentiates between probing and successful compromise. However, Undercode recommends treating any signs of probing as a serious incident, warranting full forensic investigation and a security audit.

Lastly, the simultaneous exploitation of Active! Mail in Japan (CVE-2025-42599) serves as a grim reminder: attackers are opportunistic. They target multiple systems simultaneously, broadening their chances of success. Organizations using any internet-facing software must stay proactive, ensuring they are not the “low-hanging fruit” that attackers are increasingly searching for.

Regular vulnerability assessments, layered defenses, secure coding practices, and comprehensive incident response strategies are not optional anymore — they are survival requirements in today’s threat landscape.

Fact Checker Results

The vulnerabilities CVE-2024-58136 and CVE-2025-32432 have been officially listed with the described CVSS scores.
Patch versions 3.9.15, 4.14.15, and 5.6.17 for Craft CMS have been confirmed to fix the mentioned vulnerabilities.
Over 13,000 Craft CMS instances remain vulnerable as of April 18, 2025, according to Orange Cyberdefense SensePost reports.

Would you like me to also create a SEO-optimized meta description and title for you? 🚀