cbcvebase.
CVE-2025-32432
published 2025-04-25

CVE-2025-32432: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15…

PriorityP199critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-04-03
Exploited in the wild
EPSS
99.80%
100.0th percentile
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

Affected

6 ranges
VendorProductVersion rangeFixed in
craftcmscms>= 3.0.0-RC1 < 3.9.153.9.15
craftcmscms>= 4.0.0-RC1 < 4.14.154.14.15
craftcmscms>= 5.0.0-RC1 < 5.6.175.6.17
craftcmscraft_cms>= 3.0.0 < 3.9.153.9.15
craftcmscraft_cms>= 4.0.0 < 4.14.154.14.15
craftcmscraft_cms>= 5.0.0 < 5.6.175.6.17

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?p=admin/actions/assets/generate-transform
url/actions/assets/generate-transform
url/index.php?p=admin/dashboard
cookiePHPSESSID
path/tmp/sess_<PHPSESSID>
commandPOST /index.php?p=admin/actions/assets/generate-transform with JSON payload: {"assetId": 11, "handle": {"width": 123, "height": 123, "as session": {"class": "craft\\behaviors\\FieldLayoutBehavior", "__class": "GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}}
commandPOST /actions/assets/generate-transform with JSON payload using yii\rbac\PhpManager gadget and itemFile pointing to /tmp/sess_<session_id>
sigma
shodan-query: http.component:"Craft CMS"
  • Detect exploit stage 1: unauthenticated GET or POST to the asset transform endpoint, which is the initial attack vector for CVE-2025-32432.
  • Detect exploit stage 2: POST to /actions/assets/generate-transform with a JSON body containing 'as hack' or 'as session' keys with nested '__class' referencing Yii/Guzzle gadget classes (PhpManager, FnStream, FieldLayoutBehavior). This is the deserialization trigger.
  • Monitor for PHP session files in /tmp (e.g., /tmp/sess_*) being referenced in POST request JSON payloads to Craft CMS endpoints, indicating session file poisoning and inclusion.
  • Alert on HTTP responses from Craft CMS containing 'PHP Extension', 'PHP Version', and 'CRAFT_' simultaneously, which indicates successful phpinfo() execution via the exploit.
  • Look for the X-CSRF-Token header being supplied on unauthenticated POST requests to the generate-transform endpoint — attackers first scrape the CSRF token from the page before sending the malicious payload.
  • Post-exploitation: monitor for unexpected PHP file manager uploads and new backdoor files on Craft CMS servers, as attackers used the RCE to install PHP-based file managers and exfiltrate data.
  • The Mimo/Hezb intrusion set has been observed exploiting CVE-2025-32432 to deploy cryptocurrency miners and residential proxyware — hunt for these payloads on compromised Craft CMS servers.
  • CVE-2025-32432 has been exploited as a zero-day since at least February 2025; treat any unpatched Craft CMS instance (versions < 3.9.15, < 4.14.15, < 5.6.17) as actively compromised and prioritize forensic review.
  • ·This vulnerability is a follow-on fix to CVE-2023-41892; detection rules or WAF signatures written for CVE-2023-41892 may not fully cover the new attack surface introduced in CVE-2025-32432.
  • ·The attack is pre-authentication (no valid credentials required), making network-perimeter controls insufficient as the sole defense. The CVSS score is 10.0 with no privileges required.
  • ·After exploitation, the security key and all environment-variable secrets (S3, Stripe, etc.) should be considered compromised and rotated, as they may have been captured from the environment.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.