Silent Sabotage: Unpatched Craft CMS Sites Under Siege by Code Injection Hackers
A critical vulnerability in Craft CMS is enabling attackers to hijack web servers-and federal agencies are racing against the clock to patch the threat.
On a quiet Monday this June, a new entry appeared in CISA’s Known Exploited Vulnerabilities catalog-a technical footnote that, for thousands of organizations, could spell disaster. The flaw, buried deep within the popular Craft CMS platform, is no theoretical bug: hackers are already exploiting it in the wild, planting malicious code and prying open the doors to full server compromise. Now, with a federal deadline looming, administrators are scrambling to defend their digital turf before attackers slip through the cracks.
The Anatomy of a Breach
The vulnerability at the heart of this crisis, CVE-2025-35939, is more than a simple coding oversight. It stems from Craft CMS’s mishandling of a “return URL” parameter, which is saved into PHP session files without proper input filtering. This lets unauthenticated attackers inject arbitrary PHP code into a predictable location on the server-a textbook setup for future exploitation.
But the real danger emerges when this flaw is chained with another weakness, CVE-2025-32432, which itself is rooted in the underlying Yii framework (CVE-2024-58136). By first planting a malicious payload via CVE-2025-35939 and then triggering its execution through a vulnerable image transform endpoint, attackers can seize control of the entire server-all without ever logging in.
For organizations running affected Craft CMS versions, the risks are stark: attackers can deploy web shells, steal sensitive data, pivot deeper into networks, or quietly establish long-term persistence. While CISA hasn’t confirmed ransomware cases yet, the technical ease and public exploit code make this bug attractive to both criminal groups and nation-state actors.
The federal response has been swift: agencies have until June 23 to either patch, mitigate, or pull vulnerable Craft CMS instances offline. The urgency echoes CISA’s actions on earlier Craft CMS flaws, highlighting a troubling pattern-despite its modest market share, Craft CMS remains a high-value target due to its exposure and the sophistication of available attacks.
What Now? Defending Against Exploitation
Administrators are urged to upgrade immediately to Craft CMS 4.15.3 or 5.7.5, ensuring the chained RCE vector is also closed. Where patching lags, experts recommend disabling risky endpoints, tightening web application firewall (WAF) rules, and monitoring for telltale signs: unexpected PHP files in session directories, unusual image transform requests, or outbound connections that may signal a web shell in action.
The lesson is clear: in the fast-moving world of CMS vulnerabilities, even less ubiquitous platforms like Craft can become prime cybercrime real estate overnight. Vigilance, rapid patching, and proactive monitoring are the only defenses against this new breed of silent sabotage.
WIKICROOK
- Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
- PHP Session Files: PHP session files store user data on the server. Without proper security, they can be exploited, risking user privacy and application integrity.
- Web Shell: A web shell is a malicious script uploaded to a server by hackers, allowing them to control the server remotely via a web interface.
- Web Application Firewall (WAF): A Web Application Firewall (WAF) monitors and filters web traffic, blocking known attack patterns to protect web applications from cyber threats.
- Chained Exploit: A chained exploit links multiple vulnerabilities in sequence, allowing attackers to bypass defenses and achieve more damaging attacks than single exploits.
As the threat landscape evolves, Craft CMS’s recent ordeal is a stark reminder: no platform is too small for the crosshairs of cybercriminals. Those who hesitate to patch may soon find themselves the next headline in a string of silent digital break-ins.




