Two critical security vulnerabilities in Craft CMS have been exploited in zero-day attacks, initially reported on February 14, 2025, by Orange Cyberdefense. CVE-2025-32432, which has a CVSS score of 10.0, poses a remote code execution risk due to improper handling of image transformations, while CVE-2024-58136, scoring 9.0, allows unauthorized access through an improper protection flaw in the Yii framework. Attackers exploit these vulnerabilities by sending POST requests to access restricted server functionality, posing a significant risk to Craft CMS users.
"CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transformation and the data within the POST would be interpreted by the server."
"In versions 3.x of Craft CMS, the asset ID is checked before the creation of the transformation object whereas in versions 4.x and 5.x, the asset ID is checked after."
Collection
[
|
...
]