The threatening actors were observed the use of two recently disclosed critical security deficiencies in craft CMS attacks with zero day to violate servers and receiving unauthorized access.
Attacks, first, observe According to the Orange Cyberdefense Sensepost on February 14, 2025 provides the device below the vulnerabilities –
- Cve-2024-58136 (CVSS assessment: 9.0) – Incorrect defense of the alternative shortage of the way in This is the PHP frame Used Craft CMS, which can be used to access limited functionality or resources (regression Cve-2024-4990)
- Cve-2025-32432 (CVSS assessment: 10.0) – Vulnerability of the remote code (RCE) in craft CMS (secured in versions 3.9.15, 4.14.15 and 5.6.17)
According to the cybersecurity company, the CVE-2025-32432 is in the built-in image transformation function that allows the site administrators to store images to a specific format.
“The CVE-2025-32432 relies on the fact that an unauthorized user can send a request for publication to the final point responsible for the transformation of the image, and the data in the message will interpret the server,” said the security researcher Nicholas Buras.
“In versions of 3.x CRAFT CMS, the asset ID is checked before creating an object of transformation, whereas in the 4.x and 5.x asset ID is checked after. Thus, the actor threats must find an identifiable asset for operation with each version of Craft CMS.”
The asset ID in the CRAFT CMS context refers to how documents and media files are guided, and each asset has given a unique ID.
It was found that the threats behind the company were discovered by several requests for the publication until a valid asset ID was identified, after which the Python scenario would be executed to determine whether the server is vulnerable and if yes, upload the PHP file on the Github repository server.
“Between February 10 and 11, the threatening actor improved his scripts by tested FileManager.php to web server using Python’s script,” the researcher said. “The filemanager.php file was renamed Autoload_Classmap.php on February 12 and was first used on February 14.”
 |
|
Vulnerable craft specimens of CMS on the country |
As of April 18, 2025, 13,000 CMS CMS were discovered, of which nearly 300 were broken.
“If you are checking firewall logs or web server logs and find suspicious requests for actions/assets/generates the final controller, in particular with a line in the body, then your site was at least scattered for this vulnerability,” CMS CMS CMS CMS – Note In advisory. “This is not a confirmation that your site was compromised; it was just a check.”
If there is evidence of a compromise, users are advised to update security keys, turn database accounting, reset users with high care and block malicious requests at the firewall level.
The disclosure of information happens as active! Send vulnerability buffer based on the zero day based on the stack (Cve-2025-42599. It was recorded in the version 6.60.06008562.
“If the remote third party sends the developed request, you may be able to execute an arbitrary code or call a refusal (DOS),”-Qualitia – Note In the newsletter.
