CVE-2025-32432

Published Apr 25, 2025

Last updated a year ago

CVSS critical 10.0
Craft CMS

Overview

Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
Source
security-advisories@github.com
NVD status
Analyzed
Products
craft_cms

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-94
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. CVE-2025-32432: Unauthenticated Remote Code Execution in Craft CMS: https://t.co/7oNWAxSPDq #exploitation #cms #vulnerability #cybersecurity #informationsecurity #cve https://t.co/wZ8bufqufZ

    @blackstormsecbr

    12 Jan 2026

    177 Impressions

    1 Retweet

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  2. Unauthenticated RCE in Craft CMS is hitting thousands of sites—fast. This new CVE-2025-32432 shows how a single misused DI container can expose full server takeover. Our fellows break down the exploit chain and how to defend against it. Stay ahead—secure your supply chain wit

    @OPSWAT

    2 Jan 2026

    196 Impressions

    2 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE-2025-32432 (CVSS 10.0): Craft CMS Allows Remote Code Execution Craft CMS is vulnerable to remote code execution. High-impact, low-complexity attacks can exploit versions before 3.9.15, 4.14.15, and 5.6.17, allowing unauthenticated attackers to execute arbitrary code htt

    @zoomeye_team

    24 Dec 2025

    5402 Impressions

    18 Retweets

    63 Likes

    32 Bookmarks

    1 Reply

    1 Quote

  4. CVE-2025-32432: Unauthenticated Remote Code Execution in Craft CMS - by @OPSWAT https://t.co/QiBPU4YybH

    @kmkz_security

    23 Dec 2025

    6829 Impressions

    21 Retweets

    104 Likes

    47 Bookmarks

    0 Replies

    1 Quote

  5. Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware #CISO https://t.co/04D7DQkc4p https://t.co/5k1ctHDNKc

    @compuchris

    24 Jul 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 【MBSD-SOCの検知傾向トピックス】 2025年6月分#MBSD#SOCの検知傾向トピックスを公開しました。 今月は、オープンソースのコンテンツ管理システム「CraftCMS」の脆弱性(CVE-2025-32432)を狙った攻撃を新たに観測しま

    @mbsdnews

    11 Jul 2025

    66 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 A Critical Vulnerability exists in Craft CMS (CVE-2025-32432). See the @ncsc_gov_ie advisory for more info: https://t.co/sUYJJU25P3

    @ncsc_gov_ie

    24 Jun 2025

    385 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    1 Jun 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. به تازگی آسیب پذیری جدیدی از نوع RCE برای Craft CMS با کد شناسایی CVE-2025-32432 منتشر شده است. هکرها با استفاده از این آسیب پذیری ، اقدام‌ به تزریق بدافزارهایی از نوع m

    @AmirHossein_sec

    30 May 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Vulnerabilità TI WooCommerce Wishlist e Craft CMS compromettono 100.000 siti Vulnerabilità, alamdar, Craft CMS, CVE-2025-32432, cybercrime, ecommerce, exploit, IPRoyal, Mimo, php, sicurezza, TI WooCommerce Wishlist, xmrig https://t.co/ivrG2M9v0y https://t.co/nzjO1ArO5V

    @matricedigitale

    29 May 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Mimoハッカー、Craft CMSの脆弱性CVE-2025-32432を悪用して暗号マイナーとプロキシウェアを展開 https://t.co/Rt6DnndbCS #Security #セキュリティ #ニュース

    @SecureShield_

    29 May 2025

    70 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    29 May 2025

    80 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    1 Quote

  13. #Mimo #Hackers #Exploit CVE-2025-32432 in #Craft_CMS to Deploy #Cryptominer and #Proxyware https://t.co/lCiRfP0emD https://t.co/ToKUubcOPa

    @omvapt

    28 May 2025

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Mimo hackers exploit CVE-2025-32432 in Craft CMS to deploy cryptominers and proxyware. Ensure your systems are updated to the latest versions to stay protected. https://t.co/NTXkDEC8nc #Cybersecurity #Hackers #Exploit #CraftCMS #CVE #Cryptomining #Proxyware #Protection #Update ht

    @dailytechonx

    28 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 🚨 ¡Alerta en España! Hackers están explotando la vulnerabilidad CVE-2025-32432 en Craft CMS para instalar mineros de criptomonedas y proxyware. Protege tu sitio y actualiza tu CMS de inmediato. Más info aquí: https://t.co/9xKTHW6Q2I #Ciberseguridad #CraftCMS #CVE2025

    @SotyHub

    28 May 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Mimo #hackers Exploit #CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware https://t.co/LCMdN2bC6w

    @AdliceSoftware

    28 May 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. #Mimo Hackers Exploit #CVE-2025-32432 in Craft CMS to #Deploy Cryptominer and Proxyware https://t.co/MqiMXxjDnf

    @ScyScan

    28 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 Cyberattack Alert: Mimo hackers exploited a Craft CMS vulnerability (CVE-2025-32432) to deploy cryptominers. Stay updated on software patches! #CryptoSecurity

    @aljhon71227

    28 May 2025

    20 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware https://t.co/BCoKDPAsDR #CyberSecurity #Malware #CSCIS

    @CIDC_Ops

    28 May 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware https://t.co/fxaK5a9KNm https://t.co/aeYxQVP32R

    @talentxfactor

    28 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware #JustUnsecure #AFrihackbox https://t.co/yhQPQqdrTO

    @afrihackbox

    28 May 2025

    26 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Hackers MIMO Explorar CVE-2025-32432 No Craft CMS para implantar Cryptominer e Proxyware https://t.co/zUKxSWZTVs

    @SecMindLab

    28 May 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. The Hacker News - Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware https://t.co/9Gq4YAnIVt

    @buzz_sec

    28 May 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware https://t.co/sdECX6fpc3

    @DemolisherDigi

    28 May 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 📍Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware https://t.co/p0kbAiuM8b

    @cyberetweet

    28 May 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 📌 هاجم مجرمون ماليو الثروات ثغرة تنفيذ الكود عن بُعد CVE-2025-32432 في نظام إدارة المحتوى Craft، مستغلينها لنشر برامج ضارة تتضمن معدنين للعملات الرقمية وأداة تحم

    @Cybercachear

    28 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 🚨 Urgent! Mimo hackers are exploiting CVE-2025-32432 in Craft CMS for cryptojacking! Update to the latest version NOW to avoid RCE and malware deployment. Monitor for suspicious activity & review security configs. #Cybersecurity #CraftCMS #Vulnerability https://t.co/GLQ20

    @fernandokarl

    28 May 2025

    38 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware. https://t.co/nlXziDyRCB htt

    @virusbtn

    28 May 2025

    1507 Impressions

    8 Retweets

    21 Likes

    3 Bookmarks

    0 Replies

    1 Quote

  29. Mimo Returns: CVE-2025-32432 Exploited in Cryptomining and Proxyware Campaigns https://t.co/vzd7PqfiMR

    @the_yellow_fall

    28 May 2025

    331 Impressions

    1 Retweet

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. The Sharp Taste of Mimo’lette: Analyzing Mimo’s Latest Campaign targeting Craft CMS https://t.co/Bi10qd613p This article details a cybersecurity threat involving the exploitation of CVE-2025-32432, a Remote Code Execution vulnerability affecting the Cra… https://t.co/Il0Ci

    @f1tym1

    27 May 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    15 May 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  32. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    12 May 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    11 May 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  34. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    10 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  35. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    9 May 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    8 May 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  37. 🚩 May 6 Advisory: Critical RCE Vulnerability Identified in Craft CMS [CVE-2025-32432] https://t.co/o8AihNMk9T

    @censysio

    6 May 2025

    1059 Impressions

    5 Retweets

    10 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  38. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    5 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  39. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    5 May 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  40. csirt_it: La Settimana Cibernetica del 4 maggio 2025 🔹 aggiornamenti per molteplici prodotti 🔹 Malvertising: diffusione dei malware NodeStealer e Xworm 🔹 Craft CMS: rilevata catena di sfruttamento attivo delle CVE-2025-32432 e CVE-2024-58136 ⚠️ #EPS… https://t.co

    @Vulcanux_

    5 May 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. La Settimana Cibernetica del 4 maggio 2025 🔹 aggiornamenti per molteplici prodotti 🔹 Malvertising: diffusione dei malware NodeStealer e Xworm 🔹 Craft CMS: rilevata catena di sfruttamento attivo delle CVE-2025-32432 e CVE-2024-58136 ⚠️ #EPSS 🔗 https://t.co/0ICeD

    @csirt_it

    5 May 2025

    126 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    4 May 2025

    42 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  43. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    4 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  44. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    3 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  45. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    3 May 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  46. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    2 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  47. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    1 May 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  48. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    1 May 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  49. Actively exploited CVE : CVE-2025-32432

    @transilienceai

    30 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  50. به تازگی برای Craft CMS دو آسیب پذیری با کدهای شناسایی CVE-2025-32432 از نوع RCE و CVE-2024-58136 از نوع input validation منتشر شده است. برای پیشگیری و مقابله به روز رسانی لازم را اعم

    @AmirHossein_sec

    29 Apr 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.CVE-2026-29113
  2. Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.CVE-2026-29069
  3. Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.CVE-2026-28696
  4. Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.CVE-2026-28784
  5. Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.CVE-2026-28781

References

Sources include official advisories and independent security research.