Hundreds of websites have been compromised through the exploitation of a zero-day vulnerability in the Craft content management system (CMS), security services provider Orange Cyberdefense warns.
Tracked as CVE-2025-32432 (CVSS score of 10/10), the issue was discovered in built-in image transformation functionality that helps administrators keep images in a specific format, and allows unauthenticated attackers to send crafted requests leading to remote code execution (RCE).
“CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transformation and the data within the POST would be interpreted by the server. The data is interpreted when the transformation object is created,” Orange explains.
The bug impacts versions 3.x, 4.x, and 5.x of Craft CMS, and the exploitation requires that the attacker has a valid asset ID for the targeted version. Craft CMS uses “assets” for the management of files and media.
As part of the observed attacks, the threat actors first sent crafted requests to obtain a valid asset ID, then sent additional requests to place PHP code on the server, and executed it. There are two methods of exploiting CVE-2025-32432, Orange discovered.
The attacker can send a request containing the malicious code to the vulnerable function, or can send a crafted request to an admin page to trigger an authentication redirect, to inject PHP code in a return URL that Craft CMS writes in a PHP session file, and then send a second request containing the session file’s name to the vulnerable function, to trigger the code execution.
According to Orange, manual exploitation of CVE-2025-32432 started on February 10, while automated exploitation began four days later, after the threat actor figured out what automation mechanism they should use.
Orange says roughly 13,000 Craft CMS instances are likely affected by this vulnerability, out of a total of approximately 35,000 unique instances identified. Based on the observed exploitation artefacts associated with CVE-2025-32432, almost 300 deployments have been compromised.
At least one of the impacted websites has been taken down, as the attackers exploited the vulnerability to overwrite multiple critical files, Orange says.
Patches for the vulnerability were released on April 10, in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17.
“On April 17, 2025, we discovered evidence to suggest the vulnerability was being exploited in the wild, so we decided to email all potentially affected license holders, encouraging them to update or install the Craft CMS Security Patches library as a stop-gap,” the content management system’s developers said.
The underlying issue, however, was identified in the Yii framework. The Yii vulnerability was assigned a separate identifier, CVE-2024-58136 (CVSS score of 9), and a patch was released on April 9, in Yii version 2.0.52.
“Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025,” a NIST advisory reads.
Related: CISA Warns of Attacks Exploiting Craft CMS Vulnerability
Related: SAP Zero-Day Possibly Exploited by Initial Access Broker
Related: Fresh Windows NTLM Vulnerability Exploited in Attacks
Related: SonicWall Flags Old Vulnerability as Actively Exploited