← back
CVE-2025-32432

Craft CMS Allows Remote Code Execution

CVSS 10 CRITICALEPSS 99.8%● KEVCWE-94
In short

Craft CMS contains a critical flaw that allows attackers to execute arbitrary code remotely on affected servers. This vulnerability affects multiple versions and requires immediate patching to prevent complete system compromise.

Technical detail

Craft CMS versions 3.0.0-RC1 through 3.9.14, 4.0.0-RC1 through 4.14.14, and 5.0.0-RC1 through 5.6.16 are vulnerable to unauthenticated remote code execution via CWE-94 (improper control of generation of code). The attack has low complexity and no special privileges required, enabling direct takeover of the application and underlying server.

Summary generated and translated by AI from the official description.
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Affected products
craftcms · cms
public PoCs found8
githubgithub.com/Sachinart/CVE-2025-3243225githubgithub.com/Chocapikk/CVE-2025-3243210githubgithub.com/CTY-Research-1/CVE-2025-32432-PoC3githubgithub.com/cd-ratel/CVE-2025-324322githubgithub.com/bambooqj/CVE-2025-324322githubgithub.com/TheMursalin/CVE-2025-324320exploitdbwww.exploit-db.com/exploits/52525unverifiedcve_referencesensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-criticalhttps://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-criticalhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-criticalhttps://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432