Immediate Actions to Secure Your Craft CMS Sites After Recent Vulnerabilities

Our team has been working with clients to secure their Craft CMS installations following these discoveries. This guide provides the exact steps you need to take right now, along with the technical details and verification methods to ensure your site stays protected.

These vulnerabilities aren't theoretical. Attackers are actively scanning for vulnerable Craft CMS sites and exploiting them for data theft, spam deployment, and ransomware attacks. The good news is that protecting your site is straightforward if you know what to do.

Understanding the Current Threat Landscape

Three major vulnerabilities are currently being exploited in the wild:

CVE-2025-32432 allows remote code execution through Craft's image transformation feature. Attackers can run arbitrary code on your server by sending specially crafted POST requests to `/actions/assets/generate-transform` with malicious `__class` parameters.

CVE-2025-23209 enables code injection if an attacker obtains your system's security key. This vulnerability can be chained with other attacks to gain full server control.

CVE-2024-58136 affects the underlying Yii PHP framework, allowing unauthorized access to restricted resources and potentially exposing sensitive data.

Working with clients during these incidents shows that sites running older versions of Craft CMS are particularly vulnerable. The Cybersecurity and Infrastructure Security Agency (CISA) has added these to their Known Exploited Vulnerabilities catalog, indicating active exploitation.

Step 1: Update Craft CMS and All Dependencies

This is your highest priority action. Update Craft CMS to at least version 5.5.8 or 4.13.8, depending on your major version. These releases contain patches for all known vulnerabilities.

Here's the exact process we recommend:

# Update Craft CMS core
composer update craftcms/cms

# Update all plugins and dependencies
composer update

# Run database migrations
php craft migrate/all

# Clear any cached data
php craft clear-caches/all

If you're using Craft Cloud, redeploy your environment through the dashboard to ensure you're running the latest version.

Before updating production: Test the update process on a staging environment first. Some plugins may not be compatible with the latest Craft version, and you'll want to address any issues before updating your live site.

Step 2: Rotate Your Security Keys Immediately

If you cannot update immediately, rotating your security key provides temporary protection against CVE-2025-23209. Generate a new security key and update it across all environments:

# Generate new security key
php craft setup/security-key

Update the `CRAFT_SECURITY_KEY` environment variable in your production environment. If you're using shared hosting, update this through your hosting control panel or `.env` file.

Important: After rotating the security key, all users will need to log in again. Plan this maintenance window accordingly and notify your team.

Our experience shows that many sites store other sensitive credentials as environment variables. Take this opportunity to rotate:

• Database passwords
• API keys for third-party services (Stripe, AWS, etc.)
• Email service credentials
• Any other sensitive configuration values

Step 3: Implement Immediate Access Controls

Restrict admin panel access to trusted IP addresses while you complete the security updates. This prevents attackers from accessing your admin interface even if they discover other vulnerabilities.

Apache .htaccess example:

    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.100
    Allow from 203.0.113.0/24

Nginx configuration:

location /admin {
    allow 192.168.1.100;
    allow 203.0.113.0/24;
    deny all;
}

Enable multi-factor authentication for all admin accounts if you haven't already. Craft CMS supports MFA through plugins like Craft CMS MFA.

Step 4: Check for Signs of Compromise

Review your server logs for suspicious activity. Look specifically for POST requests to `/actions/assets/generate-transform` containing `__class` in the request body. This indicates attempted exploitation of CVE-2025-32432.

Common attack patterns to search for:

• Unusual POST requests to asset transformation endpoints
• New files in your web root or upload directories
• Unexpected PHP files with names like `filemanager.php` or `autoload_classmap.php`
• Suspicious database queries or new admin accounts

Run a malware scan using tools like Sucuri SiteCheck to identify any malicious files that may have been uploaded.

If you find evidence of compromise, isolate the affected server immediately and contact your hosting provider or security team before proceeding with cleanup.

Step 5: Harden Your Server Configuration

Disable PHP execution in upload directories to prevent attackers from running malicious scripts they manage to upload:

Apache .htaccess in upload directories:

    php_flag engine off
    RemoveHandler .php .phtml .php3
    
        Order Allow,Deny
        Deny from all
    

Nginx configuration:

location ~* ^/uploads/.*\.php$ {
    deny all;
}

Ensure your `.env` file and other sensitive configuration files are not publicly accessible. These should be outside your web root or protected by server configuration.

Set proper file permissions:

# Set file permissions
find /path/to/craft -type f -exec chmod 644 {} \;
find /path/to/craft -type d -exec chmod 755 {} \;

# Make sure sensitive files are not world-readable
chmod 600 .env
chmod 600 config/db.php

Step 6: Implement Application-Level Protections

Deploy a Web Application Firewall (WAF) to filter malicious requests before they reach your Craft CMS installation. Services like Cloudflare, AWS WAF, or ModSecurity can block known attack patterns.

Example ModSecurity rule to block CVE-2025-32432 exploitation:

SecRule REQUEST_BODY "@contains __class" \
    "id:1001,\
    phase:2,\
    block,\
    msg:'Potential Craft CMS CVE-2025-32432 exploitation attempt',\
    logdata:'Request body contains __class parameter'"

Force HTTPS across your entire site to protect data in transit:

Apache .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx:

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$server_name$request_uri;
}

Step 7: Refresh All User Credentials

Force password resets for all users, particularly admin accounts. This ensures that if any credentials were compromised, they become invalid:

# Force password reset for all users
php craft resave/users --set passwordResetRequired --to "fn() => true"

# Or target specific user groups
php craft resave/users --group admins --set passwordResetRequired --to "fn() => true"

Review all user accounts and remove any that seem suspicious or are no longer needed. Check for recently created accounts, especially those with admin privileges.

Step 8: Establish Monitoring and Backup Procedures

Set up automated monitoring to detect future security incidents. The Sherlock Security Scanner plugin can monitor your Craft CMS site for suspicious files and configuration changes.

Implement comprehensive backup procedures if you haven't already:

• Daily automated backups stored offsite
• Database backups before any major changes
• File system backups including user uploads and configuration

Test your backups regularly to ensure they work when needed.

Verification Steps

After implementing these security measures, verify your site is properly protected:

• Confirm your Craft CMS version: Check that you're running the latest patched version in the admin panel under Settings > General
• Test admin access restrictions: Verify that admin panel access is blocked from unauthorized IP addresses
• Verify PHP execution blocking: Try accessing a test PHP file in your uploads directory, it should be blocked
• Check SSL/HTTPS: Confirm all pages redirect to HTTPS and display proper SSL certificates
• Review logs: Monitor your server logs for any suspicious activity patterns

Common Implementation Issues

Update failures: If Composer updates fail, clear the cache with `composer clear-cache` and check that your PHP version meets Craft CMS requirements.

Plugin compatibility: Some plugins may not work with the latest Craft CMS version. Check the Plugin Store for updates or temporarily disable incompatible plugins.

Locked out of admin: If you accidentally lock yourself out, use `php craft users/unlock [username]` or reset access through your database.

Performance impact: WAF rules and additional security measures may impact site performance. Monitor your site's response times and adjust rules as needed.

Ongoing Security Practices

These immediate actions will secure your site, but maintaining security requires ongoing attention:

• Subscribe to Craft CMS Security Advisories for future vulnerability announcements
• Regularly update Craft CMS core and all plugins
• Monitor the CISA KEV Catalog for new threats
• Conduct quarterly security reviews of your Craft CMS installations
• Train your team on security best practices and incident response procedures

Getting Professional Help

If you're uncomfortable implementing these security measures yourself, or if you suspect your site has been compromised, consider working with a web development agency that specializes in Craft CMS security. Professional security audits and incident response can identify issues you might miss and provide peace of mind.

When evaluating security partners, look for teams with specific Craft CMS experience and a track record of handling security incidents. Ask about their incident response procedures and ongoing monitoring capabilities.

Take Action Now

Don't wait to implement these security measures. The vulnerabilities are being actively exploited, and every day you delay increases your risk. Start with updating Craft CMS and rotating your security keys. These two actions alone will protect against the most serious current threats.

Remember that security is an ongoing process, not a one-time fix. Stay informed about new vulnerabilities, keep your software updated, and regularly review your security measures to ensure they remain effective against evolving threats.

Your site's security depends on taking these steps immediately. The technical implementation is straightforward, but the consequences of inaction can be severe. Protect your site, your data, and your users by implementing these security measures today.