CISA Warns of Craft CMS Code Injection Flaw Exploited in the Wild

CISA has warned that a serious Craft CMS vulnerability, tracked as CVE-2025-35939, is now under active exploitation, allowing unauthenticated attackers to inject PHP code into server-side files and potentially gain remote code execution when chained with other flaws.

Federal agencies and all Craft CMS users are being urged to patch or mitigate immediately due to confirmed in-the-wild attacks and the inclusion of the bug in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Vulnerability overview

CVE-2025-35939 is classified as an external control of assumed-immutable web parameter issue (CWE-472) in Craft CMS.

The flaw arises because Craft CMS stores a user-controlled “return URL” in PHP session files without proper sanitization, treating it as if it were a safe, fixed parameter.

An unauthenticated client can abuse this behavior to write arbitrary content, including PHP payloads, into a known local file path on the web server.

Under the right conditions, this turns what looks like a logic bug into a practical code injection primitive that attackers can weaponize in multi‑stage exploits.

CISA has added CVE-2025-35939 to its KEV catalog, confirming active exploitation against real-world Craft CMS installations.

Security reporting notes that threat actors are already using the bug to plant malicious PHP into session files, setting up later execution via other vulnerable components.

The impact grows when CVE-2025-35939 is chained with the Craft CMS remote code execution path tracked as CVE-2025-32432, which itself leverages an upstream Yii framework validation issue (CVE-2024-58136).

In this chained scenario, the attacker first seeds a session file using CVE-2025-35939, then abuses the image transform endpoint logic described in CVE-2025-32432 to load and execute the poisoned session file, achieving full unauthenticated RCE.

Advisories describe CVE-2025-35939 as affecting Craft CMS branches before the fixed releases in the 4.x and 5.x lines, with vendor patches shipped in versions 4.15.3 and 5.7.5.

Separately, the chained RCE vulnerability CVE-2025-32432 impacts Craft CMS 3.0.0-RC1 through 3.9.14, 4.0.0-RC1 through 4.14.14, and 5.0.0-RC1 through 5.6.16, highlighting broad exposure across supported generations.

Successful exploitation can give unauthenticated attackers arbitrary code execution on the underlying web server, enabling web shell deployment, data theft, lateral movement, and long-term site compromise.

While CISA currently lists ransomware usage as “unknown,” the RCE characteristics and available exploit examples make this an attractive target for financially motivated and state-aligned actors.

CVE-2025-35939 was added to the KEV catalog on 2 June 2025, with a remediation due date of 23 June 2025 for U.S. federal civilian agencies, in line with Binding Operational Directive 22-01.

These entities must either apply vendor mitigations, follow BOD 22‑01 guidance for cloud deployments, or discontinue use of vulnerable Craft CMS instances if fixes cannot be applied.

CISA’s decision mirrors earlier KEV actions on related Craft CMS code injection flaws, such as CVE-2025-23209, which was also ordered patched on a tight timeline after evidence of exploitation emerged.

The pattern underlines that Craft CMS, despite a smaller market share than some competitors, represents a meaningful attack surface given tens of thousands of exposed installations and the availability of public exploit techniques.

Administrators should immediately upgrade to Craft CMS 4.15.3 or 5.7.5 or later, and ensure they are running a version where the chained RCE vulnerability CVE-2025-32432 is also remediated.

Where patching is not immediately possible, organizations should consider temporarily disabling exposed Craft CMS endpoints, enforcing strict WAF rules around parameter handling, and restricting access to administrative and image-transform functionality.

Security teams should hunt for indicators such as unexpected PHP content in session directories, anomalous access to the image transform endpoint, and outbound connections from the web server consistent with web shells or reverse shells triggered via the PhpManager gadget chain.

Given ongoing exploitation, monitoring CISA’s KEV updates and vendor advisories for Craft CMS should remain a priority for any environment that relies on this platform.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post CISA Warns of Craft CMS Code Injection Flaw Exploited in the Wild appeared first on Cyber Security News.