Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access.
The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities -

CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP



Source: TheHackerNews
Source Link: https://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html