These vulnerabilities have been actively exploited in ongoing attacks, leading to server breaches and data theft, as reported by CERT Orange Cyberdefense.

Manual exploitation of these vulnerabilities began on February 10, 2025, followed by automated attacks starting just four days later.

Users are advised to monitor server logs for suspicious POST requests that may indicate probing for these vulnerabilities.

CVE-2025-32432 has a severity score of 10/10, while CVE-2024-58136 has a score of 9.0/10, highlighting the critical nature of these vulnerabilities.

Craft CMS has provided guidance for administrators on precautionary measures to take if a site is believed to be compromised, including refreshing security keys and rotating database credentials.

Researchers have identified two critical zero-day vulnerabilities in Craft CMS, tracked as CVE-2025-32432, a remote code execution flaw, and CVE-2024-58136, an input validation issue.

As of mid-April 2025, approximately 13,000 vulnerable Craft CMS instances were identified, with nearly 300 already compromised.

Attackers exploit these vulnerabilities by first obtaining a valid asset ID through crafted POST requests, which allows them to execute PHP code on the server.

The exploitation process involves manipulating a PHP session file using CVE-2025-32432, followed by executing PHP code from a compromised session file through CVE-2024-58136.

Patches addressing these vulnerabilities were released on April 10, 2025, in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17.

Further compromise steps include uploading backdoors and exfiltrating data, with additional details expected in a forthcoming blog post by Orange Cyberdefense.

On April 17, 2025, Craft CMS developers began notifying potentially affected license holders to encourage timely updates.