CVE-2025-35939

What is Craft CMS?

Craft CMS is a flexible, PHP-based content management system developed by Pixel & Tonic. It is widely used for building websites, e-commerce platforms, and web applications, particularly in the media, publishing, and agency sectors. Craft CMS uses the Yii 2 framework as its underlying PHP application framework. Because Craft CMS is internet-facing by nature and commonly stores user data, it is a recurring target for web application attacks.

Overview

Craft CMS contains an external control of assumed-immutable web parameter vulnerability (CWE-472) that allows an unauthenticated remote attacker to introduce arbitrary values — including PHP code — to a known local file location on the server. While this vulnerability has a moderate CVSS score in isolation, it is primarily significant as the first step in a two-vulnerability remote code execution chain (tracked as CVE-2025-32432) when combined with CVE-2024-58136, a Yii framework deserialization/code execution vulnerability.

The chained attack allows a fully unauthenticated attacker to achieve remote code execution on Craft CMS installations.

Affected Versions

Consult the official Craft CMS security advisories and GitHub pull request #17220 for the definitive list of affected and patched versions.

Technical Details

The vulnerability (CWE-472) involves parameters that the Craft CMS application assumes cannot be modified by an external client — typically server-side state or file paths that are expected to be internally generated. An unauthenticated client can manipulate these parameters to introduce arbitrary content, including PHP code fragments, into a predictable file location on the server.

The exploitation chain (CVE-2025-32432):

1. CVE-2025-35939 (this CVE): An unauthenticated attacker sends a crafted HTTP request that manipulates an assumed-immutable parameter. This causes Craft CMS to write attacker-controlled content (PHP code) to a known path on the server's filesystem.

2. CVE-2024-58136: A vulnerability in the Yii 2 framework (which Craft CMS uses) allows object deserialization or code path manipulation. The attacker leverages this to trigger execution of the PHP code written in step 1.

3. Result: Remote code execution as the web server process user, with no authentication required.

Attack characteristics:

• Fully unauthenticated — no account or credentials needed
• Network-accessible — any internet-facing Craft CMS installation is reachable
• Low complexity — exploitation was automated in the April 2025 campaign
• Arbitrary PHP execution — full server-side code execution as the web server user

Discovery

The chained exploit (CVE-2025-32432) was observed in active exploitation campaigns beginning around April 14, 2025, before the formal CVE assignment. Security researchers analyzing the campaign identified the two-CVE chain and reported it to the Craft CMS team, leading to the May 7, 2025 patch.

Exploitation Context

Active mass exploitation of this vulnerability chain was detected in April 2025, prior to the formal patch release. Attackers automated scanning and exploitation targeting internet-accessible Craft CMS installations. Successful exploitation resulted in:

• Web shell deployment on vulnerable servers
• Data exfiltration of CMS database contents (user data, credentials, content)
• Use of compromised servers as pivot points for further attacks

CISA added CVE-2025-35939 to the KEV catalog on June 2, 2025, one month after the patch — reflecting both the severity of the active exploitation campaign and the number of installations remaining unpatched.

Remediation

1. Update Craft CMS — upgrade to Craft CMS 4.14.9+ (4.x) or 5.6.0+ (5.x) or the latest 3.x patch as applicable.
2. Apply the Yii 2 fix — ensure the underlying Yii framework is also updated to address CVE-2024-58136; Craft CMS updates typically bundle the Yii dependency update.
3. Audit for compromise — if running a vulnerable version that was internet-accessible, review web server logs for unusual POST requests, unexpected file creation in web-accessible directories, and signs of web shell activity.
4. Check for web shells — scan public web directories for recently created PHP files not part of the Craft CMS distribution.
5. Restrict web server write permissions — ensure the web server process cannot write PHP files to web-accessible directories; use php_admin_flag engine off or similar directives for upload directories.
6. WAF rules — if immediate patching is not possible, deploy WAF rules targeting the vulnerable parameter patterns while the patch is applied.