This is not a drill: the Craft CMS zero-day critical vulnerability

I’m sure it’s not just my bad habit. Checking your phone as soon as you wake — sometimes before you can even focus properly with both eyes — is universally frowned upon by the self-styled mental health gurus of The Internet. While the rest of us are squinting at our screens through the blurry eye-fog of any normal morning, I’m pretty sure Bryan Johnson would already be swimming his 100th length through a pool of extra virgin olive oil, permeated by the droning hum of binaural theta waves in preparation for “winning the day”.

But the 11th of April 2025 wasn’t about to be a normal day.

Brandon Kelly is the CEO of Pixel & Tonic, the vendor of Craft CMS, which we specialise in, and upon which most of our client sites are based. I awoke to Brandon’s message on the Craft discussion boards about a zero-day remote code execution vulnerability in the framework Yii, upon which Craft is built.

Protocol override

The proverbial cat was out of the bag and the clock was ticking. It was a Friday. “Don’t do major deployments on a Friday”, goes the sacred commandment we were about to heroically ignore. Before I was vertical, I had already started mentally prioritising clients like a ruthless war zone medic.

On the bright side, it was half term; I didn’t need to cajole the kids to school, so at least I could get a head start on triage. Many of our clients benefit from our Craft CMS retainer contracts, and some of those handle sensitive user data, so the front of the queue was easy to assemble.

Rapid deployment process

We have a rapid deployment process baked in to our purpose-built platform for Craft that we have been refining for over ten years. Thanks to this, the first few upgrades were done before breakfast.

Unfortunately, CMS upgrades are rarely as simple as pushing a few buttons: many of our clients have projects in multiple states of development with feature branches at different stages of approval. On this particular Friday, many of our clients were also in the midst of Craft 4 to 5 migrations in various states of completion, with live environments running Craft 4 and staging environments on Craft 5, sometimes with multiple other branches awaiting merging into both. Updating them so quickly required concentration and a level head.

As the day progressed though, the pace of the upgrades accelerated, and after 10 straight hours, every environment for every client had been patched. Emerging cross-eyed and pale, having not been outside for the whole day, we were done; the terminal command php craft update craft deeply etched into my consciousness.

Why we still trust Craft CMS

This was practically as bad as it gets when it comes to website security. The vulnerability in question is relatively low effort to exploit, and allows an attacker to take control of your entire server.

There have been a thankfully small number of critical vulnerabilities affecting Craft over the years, but, in my memory at least, they often involved unfortunate combinations of unusual configurations and/or outdated platforms, or certain plugins to effectively exploit, or required a certain level of pre-existing privilege that would usually render the vulnerability moot, or they were slightly less urgent, due to the fixes being released before the vulnerability was publicly disclosed. But this was a zero-day exploit, meaning that hackers knew about it before the target did, and therefore no patch existed for a certain period of time. This vulnerability doesn’t depend on any unusual setups, configurations, plugins, or logged-in admin privileges - all sites running any version of Craft 3, 4, or 5 were instantly at risk (and had been for some months).

Craft is rightly celebrated for its excellent track record on security. As a commercial product it has a dedicated full-time team of experts who are constantly working to improve it and ensure that it is secure. This particular vulnerability was not technically part of the Craft codebase, but rather the PHP framework upon which it is built, and the Craft team admirably reacted as fast as they could to release patches for all affected versions.

Craft currently has 53 vulnerabilities listed in the CVE database.

Wordpress, by comparison, has 23,520.

Proof that updates aren’t optional

If you have an unpatched Craft installation running on a server somewhere, even if it’s a private development site that Google doesn’t know about, you’re sitting on a time bomb. It was about two weeks after Brandon’s initial announcement that reports of hacked servers started appearing on the Craft discussion boards, with each day bringing forth new victims.

The hacks were taking the form of ransomware and covert crypto-mining operations, with one highly experienced hosting partner reporting that it appeared to be at least 3 separate groups targeting the vulnerability en masse. The only way to recover reliably is to delete your entire server and start a new one from an earlier backup. Even then, reports were coming in that brand new servers created from backups were getting reinfected within 3 minutes of being spun up because they automatically booted with an unpatched version of Craft (so be sure to disable public access prior to booting your new server!).

We’re pleased to report that none of our client sites have been affected by this vulnerability. Episodes like this really highlight the need to keep your websites and infrastructure updated, and to make sensible, informed choices when selecting technology, platforms, and service providers.