Security researchers at Orange Cyberdefense have warned of active exploitation of two zero-day vulnerabilities in Craft CMS, which have been chained together by threat actors in ongoing attacks to breach servers and steal data.
The vulnerabilities—CVE-2025-32432, a remote code execution (RCE) flaw in Craft CMS, and CVE-2024-58136, an input validation issue in the Yii framework used by Craft—were discovered during a forensic investigation by Orange Cyberdefense’s Computer Security Incident Response Team (CSIRT).
According to a technical report by SensePost, Orange Cyberdefense’s ethical hacking unit, attackers leveraged the chain of vulnerabilities to deploy a PHP file manager onto compromised servers, enabling deeper system access and data exfiltration.
The breach begins with exploitation of CVE-2025-32432, which allows attackers to send a specially crafted request containing a malicious ‘return URL’ parameter. This input is stored in a PHP session file, and its name is returned to the client via an HTTP response.
In the second stage, attackers exploited CVE-2024-58136 in the Yii framework. A malicious JSON payload triggers the vulnerable framework to execute the code saved in the PHP session file, leading to arbitrary code execution on the server. This chain ultimately enabled attackers to install a PHP-based file manager, giving them the ability to explore, exfiltrate, or manipulate server data.
The Yii framework vulnerability (CVE-2024-58136) was addressed in Yii 2.0.52, released on April 9th. Craft CMS patched the RCE vulnerability (CVE-2025-32432) the following day in versions 3.9.15, 4.14.15, and 5.6.17.
While Craft CMS has not yet updated to the latest Yii release, Orange Cyberdefense confirms that the patch set in Craft still mitigates the full attack chain.
