Craft CMS External Control Web Parameter Vulnerability Actively Exploited in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-35939 to its Known Exploited Vulnerabilities (KEV) catalog, indicating that this critical Craft CMS vulnerability is being actively exploited by threat actors in real-world attacks.

This external control of assumed-immutable web parameter vulnerability represents a significant security risk for organizations running Craft CMS installations, as it enables unauthenticated attackers to inject arbitrary code into server systems.

CVE-2025-35939 affects Craft CMS through an external control of assumed-immutable web parameter weakness, classified under CWE-472 (External Control of Assumed-Immutable Web Parameter).

This vulnerability stems from inadequate input validation and sanitization mechanisms within the content management system’s parameter handling processes.

The vulnerability allows malicious actors to manipulate web parameters that the application assumes remain constant and secure throughout the request lifecycle.

The vulnerability’s technical foundation lies in the application’s failure to properly validate and control external input affecting critical system parameters.

When these parameters are processed by the server, they can influence application behavior in unintended ways, creating opportunities for code injection and system compromise.

The assumed-immutable nature of these parameters makes this vulnerability particularly dangerous, as developers and security controls may not anticipate their manipulation by external actors.

Web Parameter Vulnerability

The most concerning aspect of CVE-2025-35939 is its capability to enable unauthenticated clients to introduce arbitrary values, including executable PHP code, directly to known local file locations on the targeted server.

This functionality transforms what might initially appear as a parameter manipulation issue into a potential remote code execution vulnerability with severe implications for affected systems.

The vulnerability’s impact is further amplified by its potential for chaining with CVE-2024-58136, a combination formally tracked as CVE-2025-32432.

This attack chain represents a sophisticated exploitation path that could allow attackers to escalate their initial foothold into comprehensive system compromise.

The ability to chain multiple vulnerabilities demonstrates the advanced nature of threats targeting Craft CMS environments and suggests that threat actors are developing increasingly sophisticated attack methodologies.

While CISA’s current assessment indicates that the vulnerability’s use in ransomware campaigns remains unknown, the presence of this CVE in the KEV catalog confirms active exploitation in the wild.

This designation means that threat actors are already leveraging this vulnerability against real targets, making immediate remediation efforts critical for all organizations running affected Craft CMS installations.

Mitigations

CISA has issued specific guidance for organizations to address this vulnerability through multiple response pathways.

The primary recommendation involves applying vendor-provided mitigations according to official Craft CMS security advisories and patches.

Organizations should immediately review their Craft CMS installations and implement all available security updates addressing CVE-2025-35939.

For cloud-based Craft CMS deployments, organizations must follow applicable Binding Operational Directive (BOD) 22-01 guidance, which establishes specific requirements for federal agencies and provides best practices for private sector organizations.

This directive emphasizes the importance of rapid vulnerability remediation in cloud environments where traditional network security controls may be limited.

In cases where vendor mitigations are unavailable or insufficient, CISA recommends discontinuing use of the affected product until adequate protections can be implemented.

This recommendation underscores the severity of the vulnerability and the urgent need for organizations to prioritize their response efforts to prevent potential compromise.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post Craft CMS External Control Web Parameter Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.