Craft CMS, a popular open-source content management system built on the Yii PHP framework, faces severe security threats from three interconnected vulnerabilities now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
These flaws enable remote code execution (RCE), posing high risks to thousands of websites worldwide. As of March 20, 2026, federal agencies must mitigate CVE-2025-32432 by April 3, 2026, or discontinue use.
CVE-2025-32432 is a code injection flaw (CWE-94) allowing unauthenticated attackers to execute arbitrary PHP code via improper input handling in the actions/assets/generate-transform endpoint. Discovered in April 2025 and stemming from a Yii issue, it affects Craft CMS versions 3.0.0-RC1 to 3.9.14, 4.0.0-RC1 to 4.14.14, and 5.0.0-RC1 to 5.6.16.
CVE-2025-35939 involves external control of assumed-immutable web parameters (CWE-472), where attackers inject PHP code into session files via unsanitized return URLs during authentication. It can be chained with CVE-2025-32432 to amplify the RCE impact.
The root cause, CVE-2024-58136 (CWE-424, CVSS 9.0), is an improper protection of alternate paths in the Yii Framework 2.0.x before 2.0.52, enabling restricted access and code execution in dependent apps such as Craft CMS.
Threat actors exploited these zero-days as early as April 17, 2025, compromising hundreds of sites through malicious POST requests containing “__class” payloads.
Craft CMS developers confirmed in-the-wild activity, notifying license holders and releasing emergency patches on April 10, 2025 (Craft 3.9.15, 4.14.15, 5.6.17). CISA’s KEV addition underscores active exploitation, with no known ransomware ties yet.
Indicators include suspicious logs to /actions/assets/generate-transform with “__class”. Post-compromise, attackers drop backdoors in asset folders or public HTML.​
Update immediately to patched Craft versions via the official guide. As interim measures, install the Craft CMS Security Patches library or firewall-block “__class” in POST bodies to the vulnerable endpoint.
If compromised: Take sites offline, scan/remove backdoors (e.g., Sucuri), rotate security keys (php craft setup/security-key), database creds, and force user password resets (php craft resave/users --set passwordResetRequired). Craft Cloud users benefit from built-in firewall blocks.​
These flaws highlight supply-chain risks in CMS platforms, where framework bugs cascade to users. With CVSS scores up to 10.0 and low complexity, unauthenticated RCE poses a threat to data breaches, ransomware precursors, or persistence. SEO-optimized sites on Craft CMS, common for custom web experiences, amplify exposure.
In accordance with BOD 22-01, enterprises should prioritize scanning, patching, and monitoring. Credits go to Orange Cyberdefense for the discovery of CVE-2025-32432.
Site: cybersecuritypath.com
About the Author
