Ethical Hacking News
Craft CMS has been hit by a zero-day exploit chain that was used to steal data from compromised servers. The vulnerabilities were two zero-day exploits that were chained together to breach Craft CMS servers, exploiting CVE-2025-32432 and CVE-2024-58136. Craft CMS has since fixed these vulnerabilities in their respective versions, but webmasters are advised to take precautions to protect themselves.
Craft CMS has been hit by a zero-day exploit chain that stole data from compromised servers. The vulnerabilities were two chained exploits: CVE-2025-32432 (RCE) and CVE-2024-58136 (input validation flaw in Yii framework). Attackers used these exploits to breach servers, install backdoors, and steal data, exploiting additional steps. Craft CMS has since fixed the vulnerabilities in versions: 3.9.15, 4.14.15, and 5.6.17. Admins are advised to refresh their security key, update environment variables, rotate database credentials, and force users to reset passwords.
Craft CMS has been hit by a zero-day exploit chain that was used to steal data from compromised servers. This is according to CERT Orange Cyberdefense, which recently discovered the vulnerability and has been working to contain the damage.
The vulnerabilities in question were two zero-day exploits that were chained together to breach Craft CMS servers. The first exploit was CVE-2025-32432, a remote code execution (RCE) vulnerability in Craft CMS. This vulnerability allowed attackers to send a specially crafted request containing a "return URL" as a parameter that was saved in a PHP session file. This session name was then sent to the visitor as part of the response to the HTTP request.
The second exploit was CVE-2024-58136, an input validation flaw in the Yii framework used by Craft CMS. This vulnerability allowed attackers to send a malicious JSON payload that caused the PHP code in the session file to be executed on the server. The attacker used this exploit to install a PHP-based file manager on the server, which compromised the system further.
The attackers were able to chain these two exploits together to breach the servers and steal data. Orange Cyberdefense reported that they saw additional compromise steps, including uploads of backdoors and data exfiltration. However, Craft CMS has since fixed both vulnerabilities in their respective versions: 3.9.15, 4.14.15, and 5.6.17.
To protect themselves from this exploit chain, Craft CMS administrators are advised to refresh their security key if it has already been captured. They should also run the `php craft setup/security-key` command to update the environment variable with the new security key. Additionally, they should rotate their database credentials and consider forcing all users to reset their passwords in case their database is compromised.
This zero-day exploit chain highlights the growing concern for webmasters who use Craft CMS on their websites. It emphasizes the importance of keeping software up-to-date and using secure protocols to protect against attacks like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/Craft-CMS-Zero-Day-Exploit-Chain-Used-to-Steal-Data-A-Growing-Concern-for-Webmasters-ehn.shtml
Published: Fri Apr 25 15:45:52 2025 by llama3.2 3B Q4_K_M
