Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-czuy-m8wp-fka2
Vulnerability ID VCID-czuy-m8wp-fka2
Aliases CVE-2025-32432
GHSA-f3gw-9ww9-jmc3
Summary Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.93094 https://api.first.org/data/v1/epss?cve=CVE-2025-32432
cvssv3.1 10.0 https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
generic_textual CRITICAL https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
cvssv3.1 10.0 https://github.com/craftcms/cms
generic_textual CRITICAL https://github.com/craftcms/cms
cvssv3.1 10 https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
cvssv3.1 10.0 https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
generic_textual CRITICAL https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
ssvc Act https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
cvssv3.1 10 https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
cvssv3.1 10.0 https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
generic_textual CRITICAL https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
ssvc Act https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
cvssv3.1 10 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
cvssv3.1 10.0 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
generic_textual CRITICAL https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
ssvc Act https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
cvssv3.1 10 https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
cvssv3.1 10.0 https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
generic_textual CRITICAL https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
ssvc Act https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
cvssv3.1 10.0 https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
generic_textual CRITICAL https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
cvssv3.1 10 https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
cvssv3.1 10.0 https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
generic_textual CRITICAL https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
ssvc Act https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
cvssv3.1 10.0 https://nvd.nist.gov/vuln/detail/CVE-2025-32432
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2025-32432
cvssv3.1 10.0 https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
generic_textual CRITICAL https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
cvssv3.1 10.0 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
generic_textual CRITICAL https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-32432
https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
https://nvd.nist.gov/vuln/detail/CVE-2025-32432
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
CHANGELOG.md#3915---2025-04-10-critical https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
CHANGELOG.md#41415---2025-04-10-critical https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
CHANGELOG.md#5617---2025-04-10-critical https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
CVE-2025-32432 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py
e1c85441fa47eeb7c688c2053f25419bc0547b47 https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
GHSA-f3gw-9ww9-jmc3 https://github.com/advisories/GHSA-f3gw-9ww9-jmc3
GHSA-f3gw-9ww9-jmc3 https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
Data source KEV
Date added March 20, 2026
Description Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
Required action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due date April 3, 2026
Note 
https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432 ; https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32432
Ransomware campaign use Unknown
Data source Metasploit
Description This module exploits an unauthenticated remote code execution vulnerability in Craft CMS versions 3.x, 4.x, and 5.x < 5.6.17 via the image transform endpoint. It injects a PHP Meterpreter payload into the Craft session, then triggers its execution by abusing the Yii behavior gadget chain (PhpManager) on the generate-transform endpoint. Discovered in the wild by Orange Cyberdefense CSIRT and assigned CVE-2025-32432.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date April 14, 2025
Platform Linux,PHP
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb
Data source Exploit-DB
Date added April 29, 2026
Description Craft CMS 5.6.16 - RCE
Ransomware campaign use Unknown
Source publication date April 29, 2026
Exploit type webapps
Platform multiple
Source update date April 29, 2026
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/ Found at https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/ Found at https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/ Found at https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/ Found at https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-32432
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99799
EPSS Score 0.93094
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:11:36.680136+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/32xxx/CVE-2025-32432.json 38.6.0