Critical Craft CMS Security Patches: Protect Your Site from Active Attacks

This isn't a "nice to have" update—it's an emergency patch that could save your site from being completely compromised. Here's everything you need to know to protect your Craft CMS project.

What's Happening Right Now

Three critical vulnerabilities are being actively exploited:

CVE-2025-32432 allows attackers to execute arbitrary code through Craft's image transform endpoint. This means they can run whatever commands they want on your server.

CVE-2025-35939 lets attackers inject malicious code without any authentication. They don't even need to log in to attack your site.

CVE-2025-23209 enables code injection when the security key is compromised, which often happens after the other vulnerabilities are exploited.

Automated bots are scanning the internet for vulnerable Craft CMS sites. If your site isn't patched, you're essentially leaving the front door wide open.

Check Your Craft CMS Version Right Now

Before anything else, you need to know which version you're running. In your project directory, run:

composer show craftcms/cms

Or check in your Craft CMS control panel under Settings → Updates.

Here are the versions you need to be safe:

• Craft CMS 5.x: Update to 5.6.17 or later
• Craft CMS 4.x: Update to 4.14.15 or later
• Craft CMS 3.x: Update to 3.9.15 or later
• Yii Framework: Update to 2.0.52 or later

If you're running anything older than these versions, you're vulnerable.

Emergency Craft CMS Security Patching Steps

1. Backup Everything First

Don't skip this step. Back up your database and all files before making any changes:

# Database backup
mysqldump -u username -p database_name > backup_$(date  %Y%m%d_%H%M%S).sql

# File backup
tar -czf files_backup_$(date  %Y%m%d_%H%M%S).tar.gz /path/to/your/craft/project

2. Update Craft CMS

Update to the latest secure version:

composer update craftcms/cms

If you want to target a specific version:

composer require craftcms/cms:^5.6.17

3. Update All Dependencies

Don't forget about plugins and the Yii framework:

composer update

If you're using Yii directly, make sure it's updated:

composer require yiisoft/yii2:^2.0.52

4. Run Database Migrations

After updating, run any pending migrations:

php craft migrate/all

5. Rotate Your Security Keys

This is critical. Generate a new security key:

php craft setup/security-key

Update your `.env` file with the new `CRAFT_SECURITY_KEY` value. Do this on all environments (staging, production, etc.).

6. Check for Compromise

If you suspect your site might already be compromised, look for:

• Unusual files in your uploads or public directories
• Unexpected admin users in your control panel
• Strange entries in your access logs
• Modified files that shouldn't have changed

If you find anything suspicious, consider taking your site offline temporarily while you clean up.

Advanced Craft CMS Protection Measures

Force Password Resets

If you suspect compromise, force all users to reset their passwords:

php craft resave/users --set passwordResetRequired --to "fn() => true"

Block Malicious Requests

If you're using Nginx, you can block known attack patterns:

location /index.php {
    if ($request_method = POST) {
        set $block 0;
        if ($request_uri ~* "actions/assets/generate-transform") {
            set $block 1;
        }
        if ($block) {
            return 403;
        }
    }
}

Restrict Admin Access

Limit admin panel access to trusted IP addresses. Add this to your Nginx or Apache configuration:

location /admin {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;
}

Enable Multi-Factor Authentication

Set up MFA for all admin accounts. You can use plugins like Two-Factor Authentication for Craft CMS.

Common Craft CMS Update Problems and Solutions

Composer dependency conflicts: If you get dependency errors, try updating plugins first, then Craft CMS:

composer update craftcms/plugin-name
composer update craftcms/cms

Site goes down during update: Use maintenance mode before updating:

php craft off
# Do your updates
php craft on

Plugins break after update: Check each plugin's compatibility with your new Craft version. Disable problematic plugins temporarily:

php craft plugin/disable plugin-handle

Monitoring and Prevention

Set Up Log Monitoring

Enable detailed logging in your `config/general.php`:

return [
    'enableLogging' => true,
    'logLevel' => 'info',
];

Watch for suspicious activity in your logs, especially:

• Multiple failed login attempts
• Unusual POST requests to image transform endpoints
• Requests with `__class` parameters

Regular Security Audits

Use tools like Snyk or the Local PHP Security Checker to scan for vulnerabilities:

# Install local-php-security-checker
composer global require enlightn/security-checker

# Run security check
security-checker security:check

Keep Dependencies Updated

Set up automated dependency checking in your CI/CD pipeline. Tools like Dependabot can automatically create pull requests when updates are available.

Building a Security-First Workflow

Staging Environment Testing

Always test updates in a staging environment first:

• Deploy your production site to staging
• Apply updates and test thoroughly
• Deploy to production only after confirming everything works

Update Schedule

Don't wait for emergencies. Set up a regular update schedule:

• Critical security patches: Immediate (within 24-48 hours)
• Minor updates: Weekly or bi-weekly
• Major version updates: Monthly, with thorough testing

Team Communication

Make sure everyone on your team knows about security procedures:

• Subscribe to Craft CMS security advisories
• Set up alerts for CISA vulnerability announcements
• Document your incident response plan

What to Do if You're Already Compromised

If you discover your site has been compromised:

• Take the site offline immediately
• Restore from a clean backup (before the compromise occurred)
• Apply all security patches before bringing the site back online
• Audit all user accounts and remove any suspicious ones
• Review and rotate all credentials (database passwords, API keys, etc.)
• Monitor closely for signs of re-compromise

Staying Protected Going Forward

Subscribe to Security Notifications

• Craft CMS Security Advisories
• CISA Known Exploited Vulnerabilities
• Craft CMS Newsletter

Use Security Tools

• Web Application Firewall (WAF): CloudFlare, AWS WAF, or similar
• Vulnerability Scanners: Snyk, OWASP ZAP, or Nessus
• Monitoring Services: New Relic, DataDog, or similar

Regular Maintenance

Security isn't a one-time task. Make it part of your regular maintenance routine:

• Monthly security reviews
• Quarterly penetration testing
• Annual security audits

Take Action Now

The longer you wait, the higher your risk. Attackers are actively scanning for vulnerable Craft CMS sites right now. Here's your immediate action plan:

• Check your version - Do this right now
• Backup your site - Don't skip this step
• Update immediately - Apply all patches today
• Rotate security keys - Generate new keys after patching
• Monitor for compromise - Check logs and files for suspicious activity

If you're managing multiple Craft CMS sites, prioritize them by importance and patch the most critical ones first.

Remember: A compromised website can lead to data theft, ransomware attacks, and serious damage to your reputation. The few hours you spend patching today could save you weeks of recovery work later.

Don't wait—patch your Craft CMS sites now.