Remote Code Execution Vulnerability in Craft CMS by Pixel & Tonic
CVE-2025-32432

10CRITICAL

Key Information:

Vendor: Craftcms
Status: Cms
Vendor: CVE Published:; 25 April 2025

Badges

📈 Score: 1,800💰 Ransomware👾 Exploit Exists🟣 EPSS 67%📰 News Worthy

What is CVE-2025-32432?

CVE-2025-32432 is a high-severity remote code execution vulnerability found in Craft CMS, a flexible content management system designed for creating custom digital experiences. This vulnerability affects specific versions of the software, enabling malicious actors to execute arbitrary code on affected installations. Organizations using Craft CMS could face considerable risks, including unauthorized data access, system compromise, and disruption of services, directly impacting their operational integrity and reputation.

Technical Details

The vulnerability exists in Craft CMS starting from version 3.0.0-RC1 up to, but not including, version 3.9.15, as well as from version 4.0.0-RC1 to before 4.14.15 and from 5.0.0-RC1 to prior to 5.6.17. Exploitation involves a low-complexity attack vector, making it relatively easy for attackers to implement. The issue has been addressed in patched versions 3.9.15, 4.14.15, and 5.6.17, along with a fix for a previously identified vulnerability (CVE-2023-41892).

Potential Impact of CVE-2025-32432

Unauthorized Access and Control: Attackers can gain unauthorized access to the system, potentially leading to the execution of arbitrary commands and loss of sensitive information.
Service Disruption: Exploiting this vulnerability can lead to service outages, disrupting business operations and affecting user experience.
Increased Risk of Data Breaches: Vulnerable systems may be targeted for data breaches, exposing sensitive data to unauthorized entities and resulting in significant reputational damage and regulatory consequences for affected organizations.