6 hours Ago
Researchers discovered two critical-severity zero-days in Craft CMS Criminals are allegedly chaining them together to gain access Some 300 sites already fell victim Cybercriminals are abusing two zero-day vulnerabilities in the Craft content management system (CMS) to access flawed servers and run malicious code remotely (RCE). This is according to cybersecurity researchers Orange Cyberdefense SenePost, who first saw the bugs being abused in mid-February this year. The two vulnerabilities are now tracked as CVE-2025-32432, and CVE-2204-58136.
The former is a remote code execution bug with the maximum severity score - 10/10 (critical). The latter is described as an improper protection of alternate path bug in the Yii PHP framework that grants access to restricted functionality or resources. It is a regression of an older bug tracked as CVE-2024-4990, and was given a severity score of 9.
0/10 (also critical). Hackers are hijacking government software to access sensitive servers Cisco smart licensing system sees critical security flaws exploited Get Keeper Personal for just $1.67/month, Keeper Family for just $3.
54/month, and Keeper Business for just $7/month Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data. It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats. Preferred partner ( What does this mean? ) Second increase "CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transformation and the data within the POST would be interpreted by the server," the researchers explained.
"In versions 3.x of Craft CMS, the asset ID is checked before the creation of the transformation object whereas in versions 4.x and 5.
x, the asset ID is checked after. Thus, for the exploit to function with every version of Craft CMS, the threat actor needs to find a valid asset ID." Researchers determined that there were approximately 13,000 vulnerable Craft CMS endpoints.
Almost 300 were allegedly already targeted. All users are advised to look for indicators of compromise and, if found, refresh security keys, rotate database credentials, reset user passwords, and block malicious requests at the firewall level. A patch is now available for the flaws, too.
Users should make sure their Craft CMS instances are running versions 3.9.15, 4.
14.15, and 5.6.
17. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! The bugs have not yet been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Via The Hacker News US government warns this popular CMS software has a worrying security flaw Take a look at our guide to the best authenticator app We've rounded up the best password managers.
