Orange Cyberdefense researchers have uncovered a large-scale cyber attack campaign exploiting two critical vulnerabilities in the Craft CMS platform. The security flaws enable unauthorized server access and malicious code execution, putting thousands of websites at significant risk.
Understanding the Critical Vulnerabilities
The first vulnerability (CVE-2024-58136) affects the Yii PHP framework, which powers Craft CMS. Rated at 9.0 on the CVSS scale, this security flaw stems from improper path validation, enabling attackers to bypass security controls and access restricted system functions. The vulnerability’s high severity rating reflects its potential for significant system compromise.
Even more concerning is the second vulnerability (CVE-2025-32432), which received the maximum CVSS score of 10.0. This critical flaw affects Craft CMS’s image processing functionality across versions 3.x, 4.x, and 5.x, enabling remote code execution (RCE) capabilities that could give attackers complete control over affected systems.
Attack Methodology and Technical Analysis
The attack campaign, first detected on February 14, 2025, employs sophisticated automation techniques. Threat actors utilize automated POST requests to identify valid asset IDs, followed by deploying a Python script that validates server vulnerability and downloads malicious PHP code from GitHub repositories. This methodical approach demonstrates the attackers’ technical sophistication and determination.
Impact Assessment and Detection Methods
Security researchers have identified approximately 13,000 vulnerable Craft CMS installations, with confirmation that roughly 300 systems have already been compromised. The primary indicator of compromise involves suspicious POST requests to the action/assets/generate-transform endpoint, particularly those containing “__class” string parameters in the request body.
To mitigate these vulnerabilities, system administrators must immediately upgrade their Craft CMS installations to versions 3.9.15, 4.14.15, or 5.6.17, which include security patches for both vulnerabilities. Additionally, implementing comprehensive web application security measures, including regular log monitoring and web application firewall (WAF) deployment, is crucial for maintaining system security. Organizations should also conduct thorough security audits to identify and remediate any potential compromises that may have occurred before patching.
