🔴 CVE-2025-32432

Craft CMS contains a critical remote code execution vulnerability that requires no authentication or user interaction. With a CVSS score of 10.0 and inclusion in CISA's KEV catalog, this vulnerability is actively exploited in the wild against internet-facing CMS installations.

← Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-04-25

Added to CISA KEV: 2026-03-20 329 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-32432 is a critical security vulnerability affecting Craft CMS that allows for unauthenticated Remote Code Execution (RCE) [1] [6].

Active Exploitation and Threat Actors
The vulnerability has been actively exploited in the wild [1] [2]. Threat actors, including a group identified as "Mimo," have been observed exploiting this flaw shortly after its disclosure to deploy malicious payloads, such as cryptominers and proxyware, for financial gain [3]. It has also been linked to zero-day attacks aimed at data theft, sometimes chained with other vulnerabilities like CVE-2024-58136 in the underlying Yii framework [2].
Attack Method and Requirements
  • Method: The vulnerability stems from insecure deserialization within the asset transform generation feature of Craft CMS [6].
  • Requirements: It is a pre-authentication vulnerability, meaning it does not require user interaction or prior access to the system to exploit [5] [8]. It is considered a high-impact, low-complexity network-based attack [1].
Proof-of-Concept Availability
Proof-of-concept (PoC) exploit scripts are publicly available on platforms like GitHub, which automate the detection and verification of the vulnerability [4] [5].
Impact
Successful exploitation provides an attacker with the ability to execute arbitrary code on the affected server, granting them full control over the application environment [1]. This can lead to complete system compromise, data theft, and the deployment of persistent malware [2] [3].
Affected Versions and Mitigation
  • Affected Versions: Craft CMS versions from 3.0.0 up to 5.6.17 are affected [1].
  • Patch Status: The vulnerability has been patched in versions 3.9.15, 4.14.15, and subsequent releases [1]. Administrators are strongly advised to update their installations immediately [7].

Sources

  1. CVE-2025-32432 Detail - NVD

    Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and ... Craft CMS is a web CMS with remote code execution vulnerability from version 3.0.0 to 5.6.17. The vulnerability has been patched and exp…

  2. CVE-2025-32432: Critical Craft CMS Vulnerability Is Actively ...

    CVE-2025-32432 RCE vulnerability in Craft CMS is chained with CVE-2024-58136 in the Yii framework for zero-day attacks aimed at data theft.

  3. Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer ...

    Mimo exploits CVE-2025-32432 in Craft CMS days after disclosure, deploying cryptominer and proxyware for monetization.

  4. CTY-Research-1/CVE-2025-32432-PoC - GitHub

    CVE-2025-32432 Exploit Scripts (Python PoC). Pre-auth Remote Code Execution for CraftCMS 3.x / 4.x / 5.x PoC Maintainer ...

  5. GitHub - Sachinart/CVE-2025-32432: This repository contains a proof-of ...

    This repository contains a proof-of-concept exploit script for CVE-2025-32432, a pre-authentication Remote Code Execution (RCE) vulnerability affecting CraftCMS versions 4.x and 5.x. The vulnerability exists in the asset transform generation feature of CraftCMS. This exploit script automates the det…

  6. CraftCMS Vulnerability Exposes Systems to Pre-Auth RCE, Now ...

    The SonicWall Capture Labs threat research team became aware of a pre-authentication vulnerability in CraftCMS's asset transform generation ... Tracked as CVE-2025-32432, this critical vulnerability exploits a deserialization issue in CraftCMS, the exploit takes advantage of an insecure deserializat…

  7. Craft CMS and CVE-2025-32432

    On April 7, 2025, we received a report of a Craft CMS vulnerability that was based on a vulnerability in the Yii framework. Yii fixed that vulnerability… ... Learn about the Craft CMS vulnerability based on a Yii framework bug and how to fix it. Find out how to update, block, or mitigate the exploit…

  8. CVE-2025-32432: Craft CMS RCE Vulnerability Explained - OPSWAT

    Learn about CVE-2025-32432 in Craft CMS—how the remote code execution vulnerability works, affected versions, exploitation details, and mitigation steps.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed