Key Takeaway
CVE-2025-32432 is an unauthenticated remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected servers without any credentials. CISA has added it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of April 3, 2026. Organizations should update Craft CMS to the patched version immediately and apply WAF rules and network isolation if patching cannot be completed at once.
CVE-2025-32432: Unauthenticated Remote Code Execution in Craft CMS
Affected Product: Craft CMS (all versions prior to the vendor-issued patch) Vendor: Craft CMS CVE ID: CVE-2025-32432 Attack Vector: Network (unauthenticated remote exploitation) CISA KEV Deadline: Federal agencies must remediate by April 3, 2026
Vulnerability Overview
CVE-2025-32432 is a code injection vulnerability in Craft CMS that allows a remote, unauthenticated attacker to execute arbitrary code on the underlying server. No credentials are required to trigger the flaw. The vulnerability resides in the application's handling of user-supplied input, which is passed to an execution context without adequate sanitization or validation.
The flaw is classified as a remote code execution (RCE) vulnerability. An attacker sends a crafted HTTP request — specifically a malicious POST request containing a code injection payload — to a publicly accessible Craft CMS instance. The server processes the payload and executes attacker-controlled code with the privileges of the web server process (typically www-data, apache, or nginx on Linux-based deployments).
CISA added CVE-2025-32432 to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Federal civilian executive branch (FCEB) agencies are bound by Binding Operational Directive 22-01 to remediate this vulnerability by April 3, 2026.
Technical Impact
Successful exploitation grants an attacker operating system-level code execution scoped to the web server user. From this foothold, an attacker can:
- Exfiltrate data: Read application configuration files, database credentials,
.envfiles, and any data accessible to the web process. - Deploy malware: Drop web shells, cryptominers, or backdoors directly onto the server's file system.
- Pivot laterally: Use harvested credentials or internal network access to move deeper into the environment, particularly where Craft CMS instances sit on networks with access to internal databases, APIs, or administrative interfaces.
- Establish persistence: Modify CMS templates, cron jobs, or configuration to maintain access even after the web server process restarts.
Craft CMS is widely deployed across media organizations, e-commerce platforms, and enterprise marketing sites. Instances exposed directly to the internet without a reverse proxy or WAF present the highest risk surface.
Indicators of Exploitation
SOC analysts should hunt for the following indicators across web server logs and endpoint telemetry:
- Anomalous POST requests to Craft CMS endpoints containing atypical payloads, encoded strings, or shell command syntax.
- Unexpected process spawning from the web server user — for example,
www-dataspawningbash,sh,curl,wget, orpythonprocesses. - New or modified files in the web root, template directories, or upload folders shortly after suspicious HTTP activity.
- Outbound connections from the web server host to unfamiliar external IPs, particularly over non-standard ports.
- Credential access attempts against internal databases or services from the web server host.
Deploy detection rules in your SIEM to correlate web server process execution anomalies with inbound POST request spikes. EDR telemetry on the host running Craft CMS is the most reliable signal for post-exploitation activity.
Affected Versions
The vulnerability affects Craft CMS versions prior to the patched releases issued by the vendor. Organizations should confirm their installed version against the official Craft CMS security advisory and changelog.
Remediation and Mitigation
Primary action: Update Craft CMS to the latest patched version immediately. The vendor has released fixes addressing CVE-2025-32432. Apply the update through the standard Craft CMS update mechanism or via Composer:
composer update craftcms/cms
Verify the installed version matches the patched release confirmed in the vendor's security advisory before returning the instance to production.
If patching is not immediately possible, implement the following interim controls:
- WAF rules: Deploy Web Application Firewall rules to block POST requests containing code injection patterns targeting known Craft CMS endpoints. Major WAF vendors and open-source rulesets (ModSecurity CRS) include signatures for generic code injection patterns that provide partial coverage.
- IP allowlisting: If the Craft CMS admin panel or API endpoints do not require broad public access, restrict access at the network perimeter to known IP ranges.
- Network isolation: Move affected Craft CMS instances behind an internal reverse proxy and remove direct public internet exposure until patching is complete.
- Log monitoring: Enable verbose logging on the web server and application, and forward logs to your SIEM for real-time alerting on the exploitation indicators listed above.
- Disable unused endpoints: Review the Craft CMS configuration and disable any endpoints or plugins not required for production operation.
Federal agencies must comply with the CISA KEV remediation deadline of April 3, 2026. Private sector organizations should treat this as a critical-priority patch given confirmed active exploitation.
References
- CISA Known Exploited Vulnerabilities Catalog: CVE-2025-32432
- Craft CMS Official Security Advisory (craftcms.com)
- NIST NVD Entry: CVE-2025-32432
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.