Craft CMS exploit facilitates multiple payload delivery

Intrusions abusing the maximum severity Craft CMS vulnerability, tracked as CVE-2025-32432, have been launched by the Mimo threat operation to distribute the MimoLoader alongside a cryptocurrency mining malware and residential proxyware, reports The Hacker News.

Initial access facilitated by the exploit, which has been launched from a Turkish IP address, allowed Mimo to deliver a web shell that executes a shell script for persistence, an analysis from Sekoia.io showed. Aside from analyzing for previous infection, such a shell script also ends all active XMRig processes before distributing the Mimo Loader, which injects the XMRig miner and IPRoyal proxyware on targeted systems, according to Sekoia.io researchers. "Ongoing investigation confirms that Mimo remains active and operational, continuing to exploit newly disclosed vulnerabilities. The short timeframe observed between the publication of CVE-2025-32432, the release of a corresponding proof-of-concept (PoC), and its subsequent adoption by the intrusion set, reflects a high level of responsiveness and technical agility," said the report.