CVE-2025-32432
published 2025-04-25CVE-2025-32432: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15…
PriorityP199critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-04-03
Exploited in the wild
EPSS
99.80%
100.0th percentile
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 3.0.0-RC1 < 3.9.15 | 3.9.15 |
| craftcms | cms | >= 4.0.0-RC1 < 4.14.15 | 4.14.15 |
| craftcms | cms | >= 5.0.0-RC1 < 5.6.17 | 5.6.17 |
| craftcms | craft_cms | >= 3.0.0 < 3.9.15 | 3.9.15 |
| craftcms | craft_cms | >= 4.0.0 < 4.14.15 | 4.14.15 |
| craftcms | craft_cms | >= 5.0.0 < 5.6.17 | 5.6.17 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /index.php?p=admin/actions/assets/generate-transform with JSON payload: {"assetId": 11, "handle": {"width": 123, "height": 123, "as session": {"class": "craft\\behaviors\\FieldLayoutBehavior", "__class": "GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}}↗
commandPOST /actions/assets/generate-transform with JSON payload using yii\rbac\PhpManager gadget and itemFile pointing to /tmp/sess_<session_id>↗
sigma↗
shodan-query: http.component:"Craft CMS"
- →Detect exploit stage 1: unauthenticated GET or POST to the asset transform endpoint, which is the initial attack vector for CVE-2025-32432. ↗
- →Detect exploit stage 2: POST to /actions/assets/generate-transform with a JSON body containing 'as hack' or 'as session' keys with nested '__class' referencing Yii/Guzzle gadget classes (PhpManager, FnStream, FieldLayoutBehavior). This is the deserialization trigger. ↗
- →Monitor for PHP session files in /tmp (e.g., /tmp/sess_*) being referenced in POST request JSON payloads to Craft CMS endpoints, indicating session file poisoning and inclusion. ↗
- →Alert on HTTP responses from Craft CMS containing 'PHP Extension', 'PHP Version', and 'CRAFT_' simultaneously, which indicates successful phpinfo() execution via the exploit. ↗
- →Look for the X-CSRF-Token header being supplied on unauthenticated POST requests to the generate-transform endpoint — attackers first scrape the CSRF token from the page before sending the malicious payload. ↗
- →Post-exploitation: monitor for unexpected PHP file manager uploads and new backdoor files on Craft CMS servers, as attackers used the RCE to install PHP-based file managers and exfiltrate data. ↗
- →The Mimo/Hezb intrusion set has been observed exploiting CVE-2025-32432 to deploy cryptocurrency miners and residential proxyware — hunt for these payloads on compromised Craft CMS servers. ↗
- →CVE-2025-32432 has been exploited as a zero-day since at least February 2025; treat any unpatched Craft CMS instance (versions < 3.9.15, < 4.14.15, < 5.6.17) as actively compromised and prioritize forensic review. ↗
- ·This vulnerability is a follow-on fix to CVE-2023-41892; detection rules or WAF signatures written for CVE-2023-41892 may not fully cover the new attack surface introduced in CVE-2025-32432. ↗
- ·The attack is pre-authentication (no valid credentials required), making network-perimeter controls insufficient as the sole defense. The CVSS score is 10.0 with no privileges required. ↗
- ·After exploitation, the security key and all environment-variable secrets (S3, Stripe, etc.) should be considered compromised and rotated, as they may have been captured from the environment. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS Allows Remote Code Execution
ghsa·2025-04-25
CVE-2025-32432 [CRITICAL] CWE-94 Craft CMS Allows Remote Code Execution
Craft CMS Allows Remote Code Execution
### Impact
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.
### Details
https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
### References
https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
https://sensepost.com/blog/2025/investig
OSV
Craft CMS Allows Remote Code Execution
osv·2025-04-25
CVE-2025-32432 [CRITICAL] Craft CMS Allows Remote Code Execution
Craft CMS Allows Remote Code Execution
### Impact
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.
### Details
https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
### References
https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
https://sensepost.com/blog/2025/investig
VulnCheck
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-35939 [CRITICAL] CWE-472 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
Affected: Craft CMS Craft CMS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intellige
VulnCheck
Craft CMS Code Injection Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-32432 [CRITICAL] CWE-94 Craft CMS Code Injection Vulnerability
Craft CMS Code Injection Vulnerability
Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
Affected: Craft CMS Craft CMS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/; https://blog.sekoia.io/the-sharp-taste-of-mimolette-analyzing-mimos-latest-campaign-targeting-craft-cms/; https://app.crowdsec.net/cti/cve-explorer/CVE-2025-32432; https://medium.com/@nshcthreatrecon/monthly-threat-actor-group-intelligence-report-june-2025-3491df82965b; https://cyble.com/blog/vulnerabilities-under-at
VulnCheck
Yiiframework Yii Improper Protection of Alternate Path Vulnerability
vulncheck·2024·CVSS 9.0
CVE-2024-58136 [CRITICAL] CWE-424 Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.
Affected: Yiiframework Yii
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2024-58136; https://cyberalerts.io/vulnerability/CVE-2024-58136; https://www.cve.org/CVERecord?id=CVE-2024-58136; https://sensepost.com/blog/2025/investigating-an-in-the-wild-c
CISA
Craft CMS Code Injection Vulnerability
cisa·2026-03-20·CVSS 10.0
CVE-2025-32432 [CRITICAL] CWE-94 Craft CMS Code Injection Vulnerability
Vulnerability: Craft CMS Code Injection Vulnerability
Affected: Craft CMS Craft CMS
Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432 ; https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32432
Remediation Due Date: 2026-04-03
CISA
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
cisa·2025-06-02·CVSS 9.8
CVE-2025-35939 [CRITICAL] CWE-472 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Vulnerability: Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Affected: Craft CMS Craft CMS
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/craftcms/cms/pull/17220 ; https://nvd.nist.gov/vuln/detail/CVE-2025-35939
Remediation Due Date: 2025-06-23
CISA
Yiiframework Yii Improper Protection of Alternate Path Vulnerability
cisa·2025-05-02·CVSS 9.8
CVE-2024-58136 [CRITICAL] CWE-424 Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Vulnerability: Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Affected: Yiiframework Yii
Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://www.yiiframework.com/news/709/please-upgrade-to-yii-2
Suricata
ET WEB_SPECIFIC_APPS CraftCMS Pre-Auth Remote Code Execution (CVE-2025-32432)
suricata·2025-05-13·CVSS 10.0
CVE-2025-32432 [CRITICAL] ET WEB_SPECIFIC_APPS CraftCMS Pre-Auth Remote Code Execution (CVE-2025-32432)
ET WEB_SPECIFIC_APPS CraftCMS Pre-Auth Remote Code Execution (CVE-2025-32432)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CraftCMS Pre-Auth Remote Code Execution (CVE-2025-32432)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/actions/assets/generate-transform"; fast_pattern; content:"|22|__class|22 3a|"; content:"|22|__construct|28 29 22 3a|"; reference:url,cloud.projectdiscovery.io/library/CVE-2025-32432; reference:cve,2025-32432; classtype:web-application-attack; sid:2062312; rev:1; metadata:affected_product CraftCMS, attack_target Server, created_at 2025_05_13, cve CVE_2025_32432, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag AI_Generated_Description, updated_at 2025_05_13,
Exploit-DB
Craft CMS 5.6.16 - RCE
exploitdb·2026-04-29·CVSS 10.0
CVE-2025-32432 [CRITICAL] Craft CMS 5.6.16 - RCE
Craft CMS 5.6.16 - RCE
---
# Exploit Title: Craft CMS 5.6.16 - RCE
# Google Dork: N/A
# Date: 2026-01-24
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Vendor Homepage: https://craftcms.com
# Software Link: https://github.com/craftcms/cms
# Version: "
url = f"{base_url}/index.php?p=admin/dashboard&a={injection}"
try:
r = requests.get(url, verify=False, timeout=10)
if r.status_code == 200:
print(f"[+] Session poisoning request sent successfully")
return True
else:
print(f"[-] Injection failed (HTTP {r.status_code})")
return False
except Exception as e:
print(f"[-] Injection error: {e}")
return False
def execute_command(base_url, asset_id, session_id):
"""
Step 2: Trigger deserialization and force PhpManager to include
the poisoned session file from /tmp/sess_.
""
Nuclei
CraftCMS - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-32432 [CRITICAL] CraftCMS - Remote Code Execution
CraftCMS - Remote Code Execution
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.
Template:
id: CVE-2025-32432
info:
name: CraftCMS - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack
Metasploit
Craft CMS Image Transform Preauth RCE (CVE-2025-32432)
metasploit·CVSS 10.0
CVE-2025-32432 [CRITICAL] Craft CMS Image Transform Preauth RCE (CVE-2025-32432)
Craft CMS Image Transform Preauth RCE (CVE-2025-32432)
This module exploits an unauthenticated remote code execution vulnerability in Craft CMS versions 3.x, 4.x, and 5.x < 5.6.17 via the image transform endpoint. It injects a PHP Meterpreter payload into the Craft session, then triggers its execution by abusing the Yii behavior gadget chain (PhpManager) on the generate-transform endpoint. Discovered in the wild by Orange Cyberdefense CSIRT and assigned CVE-2025-32432.
Hackernews
CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026
blogs_hackernews·2026-03-21·CVSS 8.8
[HIGH] CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities ( KEV ) catalog, urging federal agencies to patch them by April 3, 2026.
The vulnerabilities that have come under exploitation are listed below -
CVE-2025-31277 (CVSS score: 8.8) - A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content. (Fixed in July 2025)
CVE-2025-43510 (CVSS score: 7.8) - A
Wiz
Crying Out Cloud Newsletter - May 2025 | Wiz
blogs_wiz·2025-05-01·CVSS 10.0
CVE-2025-32433 [CRITICAL] Crying Out Cloud Newsletter - May 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
Here are our top picks of cloud security highlights!
Hype or no hype – Critical Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-32433 is a critical vulnerability (CVSS 10.0) in the Erlang/Open Telecom Platform (OTP) SSH implementation that allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in how the SSH protocol sequence is handled. Specifically, the vulnerability stems from the improper enforcement of message ordering, enabling attackers to send malicious SSH protocol messages before authentication and gain code executi
Checkpoint
28th April – Threat Intelligence Report
blogs_checkpoint·2025-04-28
CVE-2025-31324 28th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th April, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments. The company suspended online orders temporarily, refunded some customers, and reported the incident to the Information Commissioner’s Office (ICO).
Yale New Haven Health (YNH
Bleepingcomputer
Craft CMS RCE exploit chain used in zero-day attacks to steal data
blogs_bleepingcomputer·2025-04-25·CVSS 9.0
[CRITICAL] Craft CMS RCE exploit chain used in zero-day attacks to steal data
## Craft CMS RCE exploit chain used in zero-day attacks to steal data
## Lawrence Abrams
Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense.
The vulnerabilities were discovered by Orange Cyberdefense's CSIRT, which was called in to investigate a compromised server.
As part of the investigation, they discovered that two zero-day vulnerabilities impacting Craft CMS were exploited to breach the server:
CVE-2025-32432: A remote code execution (RCE) vulnerability in Craft CMS.
CVE-2024-58136: An input validation flaw in the Yii framework used by Craft CMS.
According to a report by SensePost, the ethical hacking team of Orange Cyberdefense, the threat actors ch
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-criticalhttps://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-criticalhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-criticalhttps://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
2025-04-25
Published
2026-03-20
Added to CISA KEV
Exploited in the wild