A critical zero-day vulnerability in Craft CMS has been actively exploited, compromising nearly 300 websites and putting thousands more at risk. Tracked as CVE-2025-32432, the flaw carries a CVSS score of 10/10 and affects versions 3.x, 4.x, and 5.x of the platform. The issue stems from Craft CMS’s built-in image transformation feature, which can be abused by unauthenticated attackers to execute remote code on the server.

Attackers are exploiting the vulnerability by sending crafted POST requests to the image transformation endpoint. This allows them to upload and execute arbitrary PHP code, provided they obtain a valid asset ID—something they’re managing through a two-step process. In some cases, they’re injecting code into a session file via a redirect on an admin page and executing it later, effectively bypassing standard authentication.

Security researchers at Orange Cyberdefense observed that manual exploitation began on February 10, 2025, and was quickly followed by automated attacks on February 14, once attackers refined their tooling. Based on scans, around 13,000 Craft CMS instances are considered potentially vulnerable out of 35,000 unique deployments worldwide.

Nearly 300 sites have already been compromised, with at least one taken offline after attackers overwrote multiple critical files. The attack method shows a high level of sophistication, with multiple paths to execution depending on how the target environment is configured.

Patches for the vulnerability were issued on April 10 in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17. The development team followed up with direct outreach on April 17, encouraging affected users to update immediately or install a temporary patching library while updates are applied.

The underlying flaw was found to originate in the Yii framework, which Craft CMS uses. That vulnerability is tracked separately as CVE-2024-58136, with a CVSS score of 9, and was fixed in Yii version 2.0.52 on April 9. It’s a regression of a previously patched issue, CVE-2024-4990, and has been exploited in the wild since at least February.

This incident highlights the real-world risk that zero-day exploits pose for CMS platforms widely used by small and mid-sized businesses as well as enterprise websites. With public exploit methods now circulating and evidence of targeted automation, the window between discovery and exploitation is shrinking fast.