Investigating an in-the-wild campaign using RCE in CraftCMS

Orange Cyberdefense describes a confirmed, in-the-wild pre-auth RCE chain against Craft CMS (affecting 3.x–5.x) that abuses Yii behavior configuration to instantiate gadget classes and execute arbitrary PHP. The report covers forensic evidence of exploitation (logs and IOCs), technical root cause analysis, a lab reproduction and PoC exploit, detection templates, and a large-scale asset scan identifying thousands of vulnerable hosts and ~300 likely compromises.