Intrusions chaining critical Craft CMS zero-days ongoing

Threat actors have been combining a pair of critical Craft CMS vulnerabilities to facilitate server compromise as part of ongoing attacks, according to BleepingComputer. Initial exploitation of the Craft CMS remote code execution flaw, tracked as CVE-2025-32432, enabled the delivery of a custom request with a "return URL" within a PHP session file, while the succeeding abuse of the input validation bug in Craft CMS' Yii framework, tracked as CVE-2024-58136, through a malicious JSON payload allowed the deployment of a PHP-based file manager for additional compromise, an analysis from Orange Cyberdefense's SensePost ethical hacking team revealed. Attackers were then observed to have installed backdoors and stolen data later on. Immediate implementation of the latest Craft CMS versions has been urged. Admins have also been advised to refresh their security keys and other private keys stored as environment variables, rotate database credentials, and force password resets for their users to mitigate risk.