Security News > 2025 > April > Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised
2025-04-28 07:13
Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities - CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP
News URL
https://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html
Related news
- Apache Parquet exploit tool detect servers vulnerable to critical flaw (source)
- Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware (source)
- China-Linked Hackers Exploit SAP and SQL Server Flaws in Attacks Across Asia and Brazil (source)
- Hacker selling critical Roundcube webmail exploit as tech info disclosed (source)
- Critical flaws fixed in Nagios Log Server (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433) (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- ASUS releases fix for AMI bug that lets hackers brick servers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-04-10 | CVE-2024-58136 | Unspecified vulnerability in Yiiframework YII Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025. | 9.8 |