Investigating An In-The-Wild Campaign Using RCE In CraftCMS

In mid-February, Orange Cyberdefense’s CSIRT was tasked with investigating a server that had been hosting a now-unavailable website. The site had been built using CraftCMS running version 4.12.8. The forensic investigation and post-analysis with the Ethical Hacking team led to the discovery of two CVEs: CVE-2024-58136 and CVE-2025-32432, one of which is in the parent framework, Yii. The aim of this presentation is to retrace the history of these CVEs. It starts with a forensic analysis, during which it was revealed an attacker gained remote access to a system, uploading a PHP file manager through unknown means. At first, their automatic exploit failed, and they had to fix their code - live. It continues with a detailed analysis, during which it was made clear there were two vulnerabilities. One in Yii was actually the regression of a known bug it its component system, allowing for arbitrary class instantiation in specific cases. The second one in CraftCMS is based on this behavior, and works by accessing an unrestricted administration page to trigger the class instantiation. The executed code is previously saved in the PHP session file through the authentication system which saves the "return URL". It will touch on building a python exploit, and porting it to nuclei. Finally, it will mention the large scan of vulnerable instances that was conducted with Onyphe, and the CVEs exploitation by the Mimo group (crypto miner, residential proxy).