Threat Advisory

Craft CMS and Yii Framework Vulnerability Enable Remote Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

 

EXECUTIVE SUMMARY:[/subscribe_to_unlock_form]

 

EXECUTIVE SUMMARY:[emaillocker id="1283"]

A zero-day vulnerability impacting Craft CMS has been discovered, which, when combined with an input validation flaw in the Yii framework, has been actively exploited in the wild. This attack chain allows remote code execution (RCE), enabling attackers to compromise servers, steal sensitive data, and gain full control over systems by installing a PHP-based file manager. Attackers exploit the vulnerability by sending a specially crafted HTTP request containing a malicious "return URL" parameter that is improperly saved in a PHP session file. This flaw, paired with an input validation issue in the Yii framework, allows the execution of arbitrary PHP code, escalating the attack further. Both vulnerabilities have been patched, but exploitation attempts continue, posing a significant risk to affected systems. Administrators are advised to implement the security measures, including refreshing security keys and rotating sensitive credentials to mitigate potential compromise.

  • CVE-2025-32432: A remote code execution (RCE) vulnerability in Craft CMS, triggered by a specially crafted HTTP request containing a malicious "return URL" parameter. The flaw causes improper session handling, allowing attackers to execute arbitrary PHP code on the server. This vulnerability has a CVSS score of 10. It has been actively exploited in the wild to breach systems and steal sensitive data.
  • CVE-2024-58136: An input validation vulnerability in the Yii framework that allows malicious JSON payloads to bypass security checks. When chained with other flaws, it enables remote code execution by triggering PHP code execution from crafted session files. This vulnerability plays a key role in recent Craft CMS attacks. It carries a CVSS score of 9.8.

RECOMMENDATION:

  • We strongly recommend you update Craft CMS to version 3.9.15, 4.15.2 and 5.7.4.

 

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu