- Researchers discovered two critical-difficult zero days in craftsmms CMS
- Criminals allegedly link them together to access
- About 300 places already fell victim
Cyber criminals abuse two zero-day vulnerabilities in Craft Content Management System (CMS) to access defective servers and run malicious code external (RCE). This is, according to cybersecurity scientists orange cyberdefense tendon post, which first saw bugs being abused in mid-February this year.
The two vulnerabilities are now traced as CVE-2025-32432 and CVE-2204-58136. The former is a remote code performance error with the maximum severity – 10/10 (critical).
The latter is described as the incorrect protection of alternative path -errors in the YII PHP frameworks that provide access to limited functionality or resources. It is a regression of an older bug that is traced as CVE-2024-4990, and got a severity of 9.0/10 (also critical).
Other increase
“The CVE-2025-32432 is dependent on the fact that a non-approved user could send a postal maturity to the end point responsible for the image transformation and the data within the post would be interpreted by the server,” the researchers explained.
“In versions 3.x of crafts CMS, active is checked -id before creating the transformation object, whereas in versions 4.x and 5.x is active -id checked after. To use the utilization to work with each version of the craft CMS, the threat actor must find a valid asset -id.”
Researchers decided that there were approximately 13,000 vulnerable craftsmanship CMS points. Almost 300 were reportedly already targeted. All users are advised to look for compromise indicators and, if found, updated security keys, rotate database information, reset user passwords and block malicious requests at the firewall level.
A patch is now available for the shortcomings. Users must ensure that their craft CMS conflicts run versions 3.9.15, 4.14.15 and 5.6.17.
Bugs have not yet been added to CISA’s famous utilized vulnerabilities (KEV) catalog.
Via Hacker the news
