- The researchers discovered two zero days of critical severity at CMS CMS
- Supposedly criminals chant them for access
- Some 300 sites were already victims
Cybercriminals are abusing two zero day vulnerabilities in the Craft Content Management System (CMS) to access defective servers and execute malicious code remotely (RCE). This is according to cybersecurity researchers Orange Cyberdefense Senepost, who first saw the mistakes abused in mid -February this year.
The two vulnerabilities are now traced as CVE-2025-32432 and CVE-2204-58136. The first is a remote code execution error with the maximum gravity score: 10/10 (critic).
The latter is described as inappropriate protection of the alternative route error in the PHP Yii framework that gives access to restricted functionality or resources. It is a regression of an older error tracked as CVE-2024-4990, and was given a gravity score of 9.0/10 (also criticism).
Second increase
“CVE-2025-32432 is based on the fact that a non-authenticated user could send a subsequent application to the final point responsible for the transformation of the image and the data within the publication would be interpreted by the server,” the researchers explained.
“In versions 3.x of CMS CMA, the active ID is verified before the creation of the transformation object, while in the 4.xy 5.x versions, the active ID is verified later. Therefore, so that the exploitation works with each version of CMACT CMS, the threat actor must find a valid asset ID.”
The researchers determined that there were approximately 13,000 final points of vulnerable artisanal CMS. Almost 300 were already attacked. All users are recommended to seek compromise indicators and, if they are, update the security keys, turn the database credentials, restore users’ passwords and block malicious requests at the Firewall level.
Now a patch for defects is also available. Users must ensure that their CMS instances are executing versions 3.9.15, 4.14.15 and 5.6.17.
Errors have not yet been added to the CISA known vulnerabilities catalog (KEV).
Through The hacker news
