The Craft CMS vulnerabilities CVE-2024-58136 and CVE-2025-32432 have triggered a wave of zero-day attacks, with hackers breaching servers worldwide. According to Orange Cyberdefense SensePost, these critical flaws have been actively exploited since February 14, 2025.
The first flaw, CVE-2024-58136, involves improper protection of alternate paths in the Yii PHP framework, allowing attackers to bypass restrictions. Meanwhile, CVE-2025-32432 represents a severe remote code execution (RCE) vulnerability in Craft CMS’s image transformation feature. Craft CMS has already patched these vulnerabilities in versions 3.9.15, 4.14.15, and 5.6.17.
Security researcher Nicolas Bourras explained how CVE-2025-32432 operates. Unauthenticated users could send crafted POST requests to image transformation endpoints. Consequently, the server would misinterpret the data, opening the door for exploitation. In Craft CMS version 3.x, the system checks asset IDs early. However, in versions 4.x and 5.x, the check occurs later, making exploitation easier.
Attackers exploited this gap by sending repeated POST requests to identify valid asset IDs. After finding a correct one, they deployed a Python script to confirm server vulnerability. If the server was exposed, they downloaded a malicious PHP file from a GitHub repository to gain further control.
Between February 10 and February 12, attackers refined their method. Initially, they deployed a file named filemanager.php. Later, they renamed it to autoload_classmap.php to avoid detection. Their attacks intensified starting February 14, 2025.
As of April 18, researchers detected about 13,000 vulnerable Craft CMS instances globally. Alarmingly, nearly 300 servers have been compromised. Craft CMS has urged administrators to check their firewall and server logs. Suspicious POST requests targeting the “actions/assets/generate-transform” endpoint, especially those containing __class, indicate probing activity.
However, Craft CMS clarified that a scan does not confirm a successful breach. Even so, they recommend refreshing security keys, rotating database credentials, resetting passwords, and blocking malicious IPs at the firewall level.
These Craft CMS vulnerabilities highlight a growing risk. Attackers increasingly target widely used CMS platforms, knowing that delayed patching leaves many sites exposed.
In addition, the timing coincides with another critical cybersecurity threat. Active! Mail, popular in Japan, also faced active exploitation via a buffer overflow flaw, CVE-2025-42599. Attackers used it to achieve remote code execution, although a patch is now available in version 6.60.06008562.
Given the heightened threat environment, security teams must prioritize patch management, enhance threat detection, and monitor server activities closely. Immediate action remains the best defense against emerging zero-day exploits.
