CVE-2025-32432
Published: 25 April 2025
Summary
CVE-2025-32432 is a critical-severity Code Injection (CWE-94) vulnerability in Craftcms Craft Cms. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Craft CMS, a web content management system, contains a remote code execution vulnerability in versions 3.0.0-RC1 through 3.9.14, 4.0.0-RC1 through 4.14.14, and 5.0.0-RC1 through 5.6.16. The flaw, tracked as CWE-94, permits unauthenticated attackers to execute arbitrary code on the server and carries a CVSS 3.1 score of 10.0 due to its network-accessible, low-complexity nature and full scope impact on confidentiality, integrity, and availability. It is described as an additional remediation for the earlier CVE-2023-41892.
An attacker with no credentials or user interaction can send a crafted request that triggers code execution, allowing full compromise of the affected Craft installation and potentially the underlying host. The attack vector is rated high-impact and low-complexity, making it attractive for opportunistic exploitation against any internet-facing instance running an unpatched release.
The official GitHub changelogs and security advisory GHSA-f3gw-9ww9-jmc3 state that the issue has been resolved in Craft 3.9.15, 4.14.15, and 5.6.17; administrators are advised to upgrade immediately. The EPSS score stands at 0.9309 with no material post-disclosure rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12521
Vulnerability details
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This…
more
is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
- CWE(s)
- KEV Date Added
- 20 March 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-32432 enables unauthenticated remote code execution on public-facing Craft CMS web applications, directly facilitating T1190: Exploit Public-Facing Application.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patches (3.9.15/4.14.15/5.6.17) that close the CWE-94 code-generation flaw.
Enforces validation of all untrusted input to block the crafted payloads that trigger arbitrary code execution.
Restricts activation of unnecessary code-generation or scripting features that the RCE vector exploits.