- The researchers discovered two zero-severity days in the artisanal CMS
- Criminals would have chained them together to access
- Some 300 sites have already been victims
Cybercriminals abuse two zero day vulnerabilities in the content management system (CMS) to access imperfect servers and run remote malicious code (RCE). It is according to researchers in cybersecurity orange cyberefense senepost, who first saw the abused bugs in mid-February this year.
The two vulnerabilities are now followed under the name of CVE-2025-32432 and CVE-2204-58136. The first is a distant code execution bug with the maximum severity score – 10/10 (critic).
The latter is described as poor protection of the alternative path bug in the PHP Yii framework which grants access to restricted features or resources. It is a regression of an older follow-up bug like CVE-2024-4990, and received a gravity score of 9.0/10 (also critical).
Second increase
“The CVE-2025-32432 is based on the fact that a non-authenticated user could send a job request to the final point responsible for the transformation of the image and that post data would be interpreted by the server,” explained the researchers.
“In the 3.X versions of CMS crafts, the active ID is verified before the creation of the transformation object, while in versions 4.x and 5.x, the active ID is checked after. Thus, for the feat to work with each version of Craft CMS, the threat actor must find a valid asset ID.”
The researchers determined that there were around 13,000 vulnerable CMS termination criteria. Nearly 300 have already been targeted. It is advisable for all users to search for compromise indicators and, if found, refresh the safety keys, run identification information in the database, reset user passwords and block malware at the level of the firewall.
A patch is now available for faults. Users must ensure that their CRS CMS instances perform versions 3.9.15, 4.14.15 and 5.6.17.
The bugs have not yet been added to the known catalog of Cisa’s exploited vulnerabilities (KEV).
Via The Hacker News
