Back to KEVs

CVE-2025-32432

Craft CMS Allows Remote Code Execution

Basic Information

CVE State: PUBLISHED
Reserved Date: April 08, 2025
Published Date: April 25, 2025
Last Updated: April 25, 2025
Vendor: craftcms
Product: cms
Description: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

EPSS Score

Score: 0.20% (Percentile: 42.04%) as of 2025-04-29

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2025-04-26 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-04-27 13:30:17 UTC) Source

References

https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47 https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical

Known Exploited Vulnerability Information

Source	Added Date
ONYPHE Blog	2025-04-26 00:00:00 UTC

Recent Mentions

Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised

Source: TheHackerNews • Published: 2025-04-28 00:00:00 UTC

Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities

CVE-2025-32432 – 0day Craft CMS discovered by Orange Cyberdefense

Source: ONYPHE Blog • Published: 2025-04-25 14:24:44 UTC

Orange Cyberdefense (OCD) has discovered a critical vulnerability (CVE-2025-32432) in the Craft CMS software. OCD has approached us to work […]

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

ibrahimsql/CVE-2025-32432

Type: github • Created: 2025-04-27 13:30:17 UTC • Stars: 2

CVE-2025-32432 checker and exploit

Sachinart/CVE-2025-32432

Type: github • Created: 2025-04-27 08:50:52 UTC • Stars: 4

This repository contains a proof-of-concept exploit script for CVE-2025-32432, a pre-authentication Remote Code Execution (RCE) vulnerability affecting CraftCMS versions 4.x and 5.x. The vulnerability exists in the asset transform generation feature of CraftCMS.

Chocapikk/CVE-2025-32432

Type: github • Created: 2025-04-26 23:33:58 UTC • Stars: 2

CraftCMS RCE Checker (CVE-2025-32432)