CVE-2025-32432: Critical Craft CMS Vulnerability Is Actively Exploited in Zero-Day Attacks, Leads to Remote Code Execution
Following the disclosure of the Command Center CVE-2025-34028 vulnerability, researchers are now warning about another critical threat: a max-severity flaw in Craft CMS, tracked as CVE-2025-32432. Attackers are chaining it with a critical input validation bug in the Yii framework (CVE-2025-58136) to power zero-day attacks, leading to server breaches and data theft. By mid-April, around 13,000 Craft CMS instances were vulnerable, with at least 300 reportedly compromised.
With the sharp rise in vulnerabilities across widely used software and their rapid weaponization in real-world attacks, the need for proactive threat detection is vital. In the first half of 2025, NIST logged more than 15,000 vulnerabilities, many of which are already testing the limits of SOC teams around the globe. As cyber threats grow more advanced, early detection becomes essential to staying ahead of attackers and minimizing damage.
Register to the SOC Prime Platform and access the global active threats feed serving real-time CTI and curated detection content to spot and mitigate attacks leveraging emerging CVEs on time. Explore a vast library of Sigma rules filtered by “CVE” tag and backed by a complete product suite for advanced threat detection & hunting by clicking Explore Detections below.
Additionally, security professionals might leverage Uncoder AI – a private IDE & co-pilot for threat-informed detection engineering – now completely free and available without token limits on AI features. Generate detection algorithms from raw threat reports, enable fast IOC sweeps into performance-optimized queries, predict ATT&CK tags, optimize query code with AI tips, translate it across 48 SIEM, EDR, and Data Lake languages, and more.
CVE-2025-32432 Analysis
Security researchers have uncovered an active exploitation campaign chaining two critical vulnerabilities in Craft CMS to breach servers and exfiltrate data. Identified by Orange Cyberdefense’s CSIRT, CVE-2025-32432 and CVE-2024-58136 are chained for active zero-day attacks, enabling remote code execution and server breaches through a multi-stage exploitation method.
First observed in mid-February 2025, the intrusion starts with exploitation of CVE-2025-32432 RCE in Craft CMS. Initially, the vulnerability stems from a misconfiguration on a built-in image transformation feature that allows website admins to adjust images to a chosen format. As a result, an unauthenticated threat actor might send a POST request to the endpoint responsible for image processing, and the data within the POST would be interpreted by the server. Exploiting this vulnerability, threat actors are able to upload a PHP manager to the target system by crafting a request that includes a “return URL” parameter. This value is stored in a PHP session file, which is then returned to the visitor as part of the server’s HTTP response—establishing a foothold on the compromised system.
At the second stage of attack, threat actors leverage CVE-2024-58136 vulnerability in the Yii framework used by Craft CMS to send a malicious JSON payload and execute the PHP code in the session file on the server. This enables installation of the PHP-based file manager for the further system compromise.
Right after the attack chain disclosure, the Yii developers addressed the CVE-2024-58136 vulnerability in the Yii 2.0.52 release. Craft CMS also patched CVE-2025-32432 in versions 3.9.15, 4.14.15, and 5.6.17 as of April 10, 2025.
To minimize the risks of exploitation of similar zero-days and other known CVEs, SOC Prime Platform provides security teams with a complete product suite built on a unique fusion of technologies, backed by AI and automation, and powered by real-time threat intel to help global organizations across multiple industry verticals and diverse environments scale their SOC operations. Register now to outscale cyber threats and stay on top of any potential cyber attack against your business.
