CVE-2025-32432
📋 TL;DR
CVE-2025-32432 is a critical remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected servers. This affects Craft CMS versions 3.0.0-RC1 through 3.9.14, 4.0.0-RC1 through 4.14.14, and 5.0.0-RC1 through 5.6.16. Any organization using vulnerable Craft CMS installations is at risk of complete system compromise.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full administrative access, data exfiltration, ransomware deployment, and lateral movement to other systems.
Likely Case
Website defacement, data theft, malware installation, and creation of persistent backdoors for future attacks.
If Mitigated
Limited impact due to network segmentation, minimal privileges, and active monitoring detecting exploitation attempts.
🎯 Exploit Status
CVSS 10.0 indicates trivial exploitation with maximum impact. While no public PoC exists, weaponization is likely given the critical nature and low complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.15, 4.14.15, 5.6.17
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
Restart Required: No
Instructions:
1. Backup your Craft CMS installation and database. 2. Update to Craft CMS 3.9.15, 4.14.15, or 5.6.17 depending on your major version. 3. Verify the update completed successfully. 4. Clear any cached files or templates.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block suspicious requests targeting Craft CMS endpoints.
Network Segmentation
allIsolate Craft CMS servers from critical internal networks and databases.
🧯 If You Can't Patch
- Immediately take affected systems offline until patching is possible
- Implement strict network access controls and monitor all traffic to/from Craft CMS servers
🔍 How to Verify
Check if Vulnerable:
Check your Craft CMS version via the Control Panel or by examining the composer.json file. If version falls within affected ranges, you are vulnerable.Check Version:
composer show craftcms/cms | grep versionVerify Fix Applied:
After updating, verify the version shows as 3.9.15, 4.14.15, or 5.6.17 in the Control Panel or via composer show craftcms/cms.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Craft CMS endpoints
- Suspicious file uploads or creation
- Unexpected process execution from web server user
Network Indicators:
- Outbound connections from web server to unknown external IPs
- Unusual traffic patterns to Craft CMS administrative endpoints
SIEM Query:
source="web_server_logs" AND (uri="*craft*" OR uri="*admin*") AND (status="200" OR status="500") AND (method="POST" OR method="PUT")🔗 References
- https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
- https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
- https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
- https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
- https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
- https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
