1.0 Introduction
Recently Craft CMS has released security update to address a critical remote code execution (RCE) vulnerability in Craft CMS.
2.0 Impact
- Full Server Compromise: Successful exploitation leads to complete system control by the attacker, allowing them to steal sensitive data, modify files, and execute arbitrary code.
- Data Theft and Integrity Loss: Attackers can access and exfiltrate sensitive information stored on the server, including databases, user data, and configuration files.
- Increased Attack Surface: The public availability of a Metasploit module further lowers the barrier for attack, making it easier for less sophisticated attackers to target vulnerable systems.
3.0 Affected Products
- Craft CMS: Versions prior to 3.9.15, 4.14.15 or 5.6.17 to address CVE-2025-32432
- Yii Framework: Versions prior to 2.0.52 to address CVE-2025-58136
4.0 Indicators of Compromised (IOCs)
| IOC | Type | Description |
|---|---|---|
| 103.106.66[.]123 | IP address | Attempted to drop filemanager.php |
| 172.86.113[.]137 | IP address | Dropped filemanager.php |
| 104.161.32[.]11 | IP address | Dropped filemanager.php |
| 154.211.22[.]213 | IP address | Uploaded file using filemanager.php |
| 38.145.208[.]231 | IP address | Renamed filemanager.php |
| d8fd8db85e6af76c91bfa17118dbecc6 | md5 | File dropped at the root of the web directory |
| e6c3e12f67127196f9f40fb6f06e2b60facd8e61 | sha1 | File dropped at the root of the web directory |
| dce988346f98d55b97fc7a7a4c49cef2883b80855a0ecb6371df4063e7ecc40d | sha256 | File dropped at the root of the web directory |
| autoload_classmap.php | Filename | File dropped at the root of the web directory |
| wp-22.php | Filename | File dropped at the root of the web directory |
| style.php | Filename | File dropped at the root of the web directory |
| https://github.com/alexantr/filemanager | github-repository | Open-source project source of filemanager.php |
5.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the Craft CMS Security Bulletin and apply the necessary updates.
Kindly refer to the following URLs for more information:
- https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
- https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52
Generally, we advise the users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact the Cyber999 Incident Response Team through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my
5.0 References