Nicolas Bourras

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions prior to 3.9.15 Craft CMS versions prior to 4.14.15 Craft CMS versions prior to 5.6.17 **Description** Craft CMS is vulnerable to remote code execution. This is a high-impact, low-complexity issue actively exploited by the Mimo threat actor. The Mimo group has been observed deploying webshells, cryptominers (XMRig), and proxyware (IPRoyal) by exploiting this vulnerability. The exploitation involves deploying a webshell via a specially crafted GET request, allowing for arbitrary command execution on the compromised server. The attackers employ techniques to hide their malicious activity, including the use of the `alamdar.so` library. Approximately 13,000 vulnerable instances have been identified, with around 300 already compromised. The attackers are financially motivated and have demonstrated a diversification of tactics, including the potential for ransomware deployment. **Recommendations** Craft CMS versions prior to 3.9.15: Update to version 3.9.15 or later. Craft CMS versions prior to 4.14.15: Update to version 4.14.15 or later. Craft CMS versions prior to 5.6.17: Update to version 5.6.17 or later.