CVE-2025-32432

CRITICAL CISA KEV EPSS 100.0%
Published Apr 25, 20251y ago · Modified Jun 17, 20261w ago
10.0 CVSS 3.1
Critical
Find Similar
Published Apr 25, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Mar 20, 2026 3mo ago
KEV Due Apr 3, 2026 88d overdue

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

CVSS Details

Base Score
10.0
Exploitability
3.9
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

CISA Known Exploited Overdue 88d
Added
Mar 20, 2026
Due
Apr 3, 2026

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
100.0% percentile
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 3

VendorProductVersionRange
craftcmscraft_cms*≥3.0.0  –  <3.9.15
craftcmscraft_cms*≥4.0.0  –  <4.14.15
craftcmscraft_cms*≥5.0.0  –  <5.6.17

References 7

  • github.com https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
    ProductRelease Notes
  • github.com https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
    ProductRelease Notes
  • github.com https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
    ProductRelease Notes
  • github.com https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
    Patch
  • github.com https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
    Vendor Advisory
  • sensepost.com https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
    ExploitPress/Media Coverage
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
    US Government Resource

Remediation

  • github.com https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
    Patch