Cyber Resilience

CVE-2025-32432

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 25 April 2025

Published
25 April 2025
Modified
20 March 2026
KEV Added
20 March 2026
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.9309 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32432 is a critical-severity Code Injection (CWE-94) vulnerability in Craftcms Craft Cms. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Craft CMS, a web content management system, contains a remote code execution vulnerability in versions 3.0.0-RC1 through 3.9.14, 4.0.0-RC1 through 4.14.14, and 5.0.0-RC1 through 5.6.16. The flaw, tracked as CWE-94, permits unauthenticated attackers to execute arbitrary code on the server and carries a CVSS 3.1 score of 10.0 due to its network-accessible, low-complexity nature and full scope impact on confidentiality, integrity, and availability. It is described as an additional remediation for the earlier CVE-2023-41892.

An attacker with no credentials or user interaction can send a crafted request that triggers code execution, allowing full compromise of the affected Craft installation and potentially the underlying host. The attack vector is rated high-impact and low-complexity, making it attractive for opportunistic exploitation against any internet-facing instance running an unpatched release.

The official GitHub changelogs and security advisory GHSA-f3gw-9ww9-jmc3 state that the issue has been resolved in Craft 3.9.15, 4.14.15, and 5.6.17; administrators are advised to upgrade immediately. The EPSS score stands at 0.9309 with no material post-disclosure rise from a lower baseline.

EU & UK References

Vulnerability details

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This…

more

is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

CWE(s)
KEV Date Added
20 March 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-32432 enables unauthenticated remote code execution on public-facing Craft CMS web applications, directly facilitating T1190: Exploit Public-Facing Application.

Affected Assets

craftcms
craft cms
3.0.0 — 3.9.15 · 4.0.0 — 4.14.15 · 5.0.0 — 5.6.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches (3.9.15/4.14.15/5.6.17) that close the CWE-94 code-generation flaw.

prevent

Enforces validation of all untrusted input to block the crafted payloads that trigger arbitrary code execution.

prevent

Restricts activation of unnecessary code-generation or scripting features that the RCE vector exploits.

References