CVE-2025-32432

12 documents10 sources
10
CVSS
CRITICAL
EPSS87.7%(99th)
CISA KEVPublic Exploit
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

Packagistcraftcms/cms3.0.0-RC13.9.15+2
NVDcraftcms/craft_cms3.0.03.9.15+2
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
NVDMITREPatch: github.com

🔴Vulnerability Details

4
GHSA
Craft CMS Allows Remote Code Execution2025-04-25
CVEList
Craft CMS Allows Remote Code Execution2025-04-25
OSV
Craft CMS Allows Remote Code Execution2025-04-25
VulnCheck
craftcms Craft CMS Improper Control of Generation of Code ('Code Injection')2025

💥Exploits & PoCs

2
Nuclei
CraftCMS - Remote Code Execution
Metasploit
Craft CMS Image Transform Preauth RCE (CVE-2025-32432)

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS CraftCMS Pre-Auth Remote Code Execution (CVE-2025-32432)2025-05-13

📋Vendor Advisories

3
CISA
Craft CMS Code Injection Vulnerability2026-03-20
CISA
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability2025-06-02
CISA
Yiiframework Yii Improper Protection of Alternate Path Vulnerability2025-05-02