Craft CMS is currently reeling from two recently publicized serious security vulnerabilities that have been used in zero-day attacks. Due to these vulnerabilities, hackers have been able to hack servers and access sensitive data such as user’s private information and payment details. The vulnerabilities CVE-2025-32432 and CVE-2024-58136 endanger the security of Craft CMS users around the world. They pose major dangers that all Americans need to be informed about.
The most serious vulnerability, CVE-2025-32432, is a remote code execution (RCE) flaw with a CVSS score of 10.0. Craft CMS has a pretty robust built-in image transformation feature. This functionality allows site operators to retain images in more accessible formats like svg, but it introduces a fundamental problem. Exploiting this vulnerability allows attackers to run arbitrary code on vulnerable servers. The vulnerability was fixed in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17.
Besides CVE-2025-32432, Craft CMS is susceptible to CVE-2024-58136, which has a CVSS score of 9.0. This common flaw is the result of insufficient protection of alternate paths in the Yii PHP framework used by Craft CMS. Unauthorized access to restricted functionalities or resources may be a risk. This should raise an alarm bell for any organization that uses this popular content management system. Interestingly, CVE-2024-58136 is a regression of a vulnerability that had already been disclosed, CVE-2024-4990.
Extent of the Threat
As of October 5, 2023, security researchers have identified nearly 13,000 exposed instances of Craft CMS. Alarmingly, almost 300 of these cases have already been documented as hijacked. The first attacks were detected February 14, 2025 by Orange Cyberdefense SensePost. This revelation for Craft CMS users underscores the critical importance of guarding systems from these types of exploits.
Attackers are increasingly chaining multiple zero-day vulnerabilities together. As this technique enables RCE, it significantly heightens the possible impact on compromised organizations. Another recently discovered zero-day vulnerability, CVE-2025-42599, has come through cyberattacks targeting organizations in Japan. This serious threat, CVE-2023-4875, has a CVSS score of 9.8.
Nicolas Bourras explained the mechanics of CVE-2025-32432, stating, “CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transformation and the data within the POST would be interpreted by the server.”
Recommendations for Users
Craft CMS has also released guidance for their users to be on the lookout for signs of exploitation. “If you check your firewall logs or web server logs and find suspicious POST requests to the actions/assets/generate-transform Craft controller endpoint, specifically with the string __class in the body, then your site has at least been scanned for this vulnerability,” cautioned the Craft CMS team.
Experts also emphasize the importance of updating to the patched versions as soon as possible to mitigate risks associated with these vulnerabilities. “In versions 3.x of Craft CMS, the asset ID is checked before the creation of the transformation object whereas in versions 4.x and 5.x, the asset ID is checked after,” Bourras added, highlighting a critical difference that attackers may exploit.
