Back to KEVs

CVE-2025-32432

Craft CMS Allows Remote Code Execution

Basic Information

CVE State
PUBLISHED
Reserved Date
April 08, 2025
Published Date
April 25, 2025
Last Updated
April 25, 2025
Vendor
craftcms
Product
cms
Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
Tags
nuclei_scanner metasploit_scanner

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

EPSS Score

Score
76.27% (Percentile: 98.85%) as of 2025-05-24

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-04-26 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2025-04-27 08:50:52 UTC) Source

References

https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47 https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical

Known Exploited Vulnerability Information

Source Added Date
ONYPHE Blog 2025-04-26 00:00:00 UTC

Recent Mentions

Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware

Source: TheHackerNews • Published: 2025-05-28 11:00:00 UTC

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution flaw affecting the Craft Content Management System (CMS) to deploy multiple payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware. The vulnerability in question is CVE-2025-32432, a maximum severity flaw in Craft CMS that was patched in

Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised

Source: TheHackerNews • Published: 2025-04-28 00:00:00 UTC

Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities

CVE-2025-32432 – 0day Craft CMS discovered by Orange Cyberdefense

Source: ONYPHE Blog • Published: 2025-04-25 14:24:44 UTC

Orange Cyberdefense (OCD) has discovered a critical vulnerability (CVE-2025-32432) in the Craft CMS software. OCD has approached us to work […]

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb 2025-06-09 13:48:34 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-32432.yaml 2025-04-30 13:30:17 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

ibrahimsql/CVE-2025-32432

Type: github • Created: 2025-04-27 13:30:17 UTC • Stars: 2

CVE-2025-32432 checker and exploit

Sachinart/CVE-2025-32432

Type: github • Created: 2025-04-27 08:50:52 UTC • Stars: 4

This repository contains a proof-of-concept exploit script for CVE-2025-32432, a pre-authentication Remote Code Execution (RCE) vulnerability affecting CraftCMS versions 4.x and 5.x. The vulnerability exists in the asset transform generation feature of CraftCMS.

Chocapikk/CVE-2025-32432

Type: github • Created: 2025-04-26 23:33:58 UTC • Stars: 2

CraftCMS RCE Checker (CVE-2025-32432)

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Detected by Metasploit