CVE-2025-35939 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-07

Added to CISA KEV: 2025-06-02 26 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update Craft CMS to version 5.7.5+ or 4.15.3+ depending on your major version
Monitor session file directories (/var/lib/php/sessions) for suspicious content or unauthorized PHP files
Review web server access logs for unusual requests to login pages with suspicious parameters
Implement web application firewall rules to detect and block potential exploitation attempts
HIGHEST patch priority - patch immediately due to active exploitation and no authentication requirement

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-35939 is a critical security vulnerability affecting Craft CMS that has been confirmed as being actively exploited in the wild ^[2].

Vulnerability Overview

Classification: The vulnerability is identified as an "External Control of Assumed-Immutable Web Parameter" (CWE-472) ^[1].
Technical Root Cause: Craft CMS improperly sanitizes user-controlled input (specifically a "return URL" parameter) before storing it in PHP session files ^[1]. The application treats this input as a safe, fixed parameter, allowing unauthenticated users to inject arbitrary content into session files ^[1].

Exploitation and Impact

Attack Method: Exploitation is possible by unauthenticated remote attackers?id=MA-1341.062025?kagi_q=CVE-2025-35939. By crafting malicious session values, attackers can leverage the application's handling of authentication-required requests to facilitate the injection.
Impact: Successful exploitation can lead to Remote Code Execution (RCE) on the affected server.
Active Exploitation: The vulnerability has been confirmed as actively exploited in the wild. It has been associated with federal remediation requirements (e.g., BOD 22-01 guidance in the United States).

Mitigation and Status

Status: Users are strongly advised to apply patches or mitigations provided by the vendor immediately.
Recommendation: If official patches are not immediately applicable, organizations should follow vendor-specific guidance or, if necessary, discontinue use of the product until the vulnerability is remediated.

*Note: While specific version numbers were not detailed in the provided search results, administrators should check the official Craft CMS security advisories for the exact affected versions and the corresponding security updates.*

Sources

CISA Warns of Craft CMS Code Injection Flaw Exploited in the Wild
Vulnerability overview CVE-2025-35939 is classified as an external control of assumed-immutable web parameter issue (CWE-472) in Craft CMS. The flaw arises because Craft CMS stores a user-controlled “return URL” in PHP session files without proper sanitization, treating it as if it were a safe, fixe…
Craft CMS: Active exploitation of CVE-2024-56145 and ... - 365TRUST
Stay up-to-date with world news! Select your topics of interest: Privacy & Data Protection. Training & Knowledge.