Latest Craft CMS vulnerabilities #

Two zero-day vulnerabilities impacting Craft CMS are being actively exploited by chaining the vulnerabilities together to compromise the affected systems.

    • CVE-2025-32432 is rated critical with a CVSSv3 base score of 10.0.
    • CVE-2024-58136 is rated critical with a CVSSv3 base score of 9.0. This vulnerability is found within the Yii framework, which is used by Craft CMS.

What is the impact? #

Successful exploitation of the vulnerabilities when chained together potentially allows a remote attacker the ability to breach vulnerable systems and transfer potentially sensitive data after installing a PHP-based file manager on compromised systems.

Are updates available? #

Although the Yii framework update is not included in the latest Craft CMS patch, the primary vulnerability was patched within 3.9.15, 4.14.15, and 5.6.17. Users are strongly encouraged to update their installation as soon as possible. In addition to applying a patch, users might want to rotate their security keys as a safety precaution. Additionally, a best practices write-up is available online with steps on how to harden the security of the installation.

How do I find potentially vulnerable instances with runZero? #

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:http AND protocol:http AND (has:http.head.xPoweredBy AND http.head.xPoweredBy:="Craft CMS")

February 2025: CVE-2025-23209 #

In late January, CraftCMS published a security advisory for a code injection vulnerability that can lead to remote code execution. On February 20, 2025 CISA added CVE-2025-23209 to the known exploited vulnerabilities catalog (KEV).

What is the impact? #

Successful exploitation of the vulnerability requires that a remote attacker already has control of the installation's security key. In this case, the attacker can then inject code using an specially crafted backup directory variable provided by the user.

The affected versions include:

  • Versions greater than or equal to 5.0.0-RC1 through 5.5.5 (exclusive)
  • Versions greater than or equal to 4.0.0-RC1 through 4.13.8 (exclusive)

Are updates available? #

The vulnerability was patched in 5.5.8 and 4.13.8. Users are strongly encouraged to update their installation as soon as possible. In addition to applying a patch, users might want to rotate their security keys as a safety precaution. Additionally, a best practices write-up is available online with steps on how to harden the security of the installation.

How do I find potentially vulnerable instances with runZero? #

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:http AND protocol:http AND (has:http.head.xPoweredBy AND http.head.xPoweredBy:="Craft CMS")

Written by runZero Team

Great research and development is a team effort! Multiple runZero team members collaborated on this post. Go team!

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Discover the new era of exposure management!