Security researcher Chocapikk has published a Metasploit module for a critical zero-day vulnerability impacting Craft CMS, tracked as CVE-2025-32432 (CVSS 10). This remote code execution (RCE) flaw, when combined with another input validation vulnerability in the Yii framework (CVE-2024-58136), has been actively exploited in the wild to breach servers and steal sensitive data.
CERT Orange Cyberdefense’s investigation revealed that attackers chained two zero-day vulnerabilities in Craft CMS to breach servers and steal data, with ongoing exploitation.
The attack unfolds in two stages:
- CVE-2025-32432 – Remote Code Execution in Craft CMS:
Attackers send a specially crafted HTTP request containing a “return URL” parameter, which is improperly saved into a PHP session file. The session name is then returned in the HTTP response. - CVE-2024-58136 – Yii Framework Input Validation Flaw:
A malicious JSON payload is sent, leveraging the input validation flaw to trigger PHP code execution from the crafted session file.
This clever chaining of vulnerabilities enables attackers to install a PHP-based file manager on compromised servers, granting them full control over the systems.
The SensePost report indicated that the attacker’s malicious JSON payload triggered the execution of PHP code within the session file on the server.
Both vulnerabilities have since been addressed:
- Craft CMS released patches for CVE-2025-32432 in versions 3.9.15, 4.14.15, and 5.6.17.
- Yii Framework addressed CVE-2024-58136 in Yii 2.0.52, released on April 9, 2025.
Craft CMS clarified that although the Yii framework was not upgraded within Craft itself, the specific attack vector was mitigated with their own patching.
Craft CMS administrators who suspect compromise are urged to:
- Refresh the CRAFT_SECURITY_KEY by running php craft setup/security-key.
- Rotate all private keys and database credentials.
- Force all users to reset their passwords with php craft resave/users –set passwordResetRequired –to “fn() => true”.
The situation remains serious as exploitation attempts continue. The release of a dedicated Metasploit module by Chocapikk further lowers the barrier for attackers.
For detailed indicators of compromise (IOCs), including IP addresses and file names, refer to the full SensePost report.
Related Posts:
???? Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
