Craft CMS 2025-32432

Update and check your Craft CMS installation. There is a high-impact vulnerability out there (again).

Actions we have been taking

Since May 6th, we are blocking requests to the affected actions/assets/generate-transform endpoint. This should stop all further hacking attempts. We have seen a wave of attacks coming in from 2nd of May on.

Impact

fortrabbit Apps are running in isolated, jailed containers. Which means that one affected App will not harm other Apps. Our enhanced security also means that certain abuse patterns like cryptomining are not possible. But like with any web hosting, once malicious actors gain access, they control your website.

Actions required by you

Please mind that you are responsible for the code you write and bring to the fortrabbit platform. Updating CraftCMS might not be enough if the website is already affected, you might also have to clean out malicious files.

Update your Craft CMS installation

Upgrade your Craft CMS installation to the latest version. We recommend to first update your local installation in your web development environment and then deploy the latest version. If you can not upgrade, because of dependencies conflicts, install the security patch (see links below).

Fixed Craft CMS versions

Craft CMS released fixes on April 11th 2025. If you haven't updated your installation, it's vulnerable. These versions are fixed, anything below is affected:

  • 3.9.15
  • 4.14.15
  • 5.6.17

Check if your Apps are affected

These things can indicate your website has been hacked.

  • Spikes in requests and errors, check the metrics
  • Database: additional admin users have been added
  • Obfuscated code in index.php and other files
  • Changed .htaccess file
  • Suspicious files/code not part of the repo (some examples below)
.well-known/*
.widgets.php
accesson.php
autoload_classmap.php
cgi-bin/*
CoreCheck.php
craftt-api.php
envcraft.php
m.php
memberfuns.php
mn.php
mnb.php
wp-blogs.php

Some files might be deeply hidden with existing folder structure like so:

assets/_120x78_crop_center-center_none/-vwugcm.php
assets/_240x122_crop_center-center_none/-gqpmnb.php
assets/_68x56_crop_center-center_none/-yuobgf.php
cpresources/4c4d6e37/d3-format/-rfihgs.php
cpresources/718fe862/mode/cypher/-nswipf.php
cpresources/718fe862/mode/swift/-oxtkip.php
cpresources/926d5982/js/captchas/-wtfbav.php
cpresources/d87ff9ec/-npcqfu.php
migrations/...
templates/...
vendor/...

It's a also possible that existing files contain malicious code or have been replaced. Don't trust the file modification dates.

Clean your installations

If your website has been affected, it is crucial to remove all potential back doors.

You can use our backups to restore to an earlier state. If your plan includes backups, see if you have access to a version that is not affected. Use your local environment to update or patch that version and then deploy/upload its contents.

Additionally, take the following steps to secure your installation:

  • Reset all Craft CMS user passwords
  • Refresh the security key
  • Reset the database password
  • Update and secure any private details or secrets that may have been exposed (e.g., third-party API credentials)

Pro Apps have ephemeral storage. Next time you deploy ay added code will be gone. Still consider credentials to be leaked and check the database.

Links

Share & discuss this: