How to fix CVE-2025-32432?

Within 24 hours: Identify all Craft CMS instances in your environment and document their current versions (verify against 3.0.0-RC1 through 3.9.14, 4.0.0-RC1 through 4.14.14, and 5.0.0-RC1 through 5.6.16). Within 7 days: Apply vendor-released patches to all affected installations; for Craft CMS 3.x upgrade to 3.9.15+, for 4.x upgrade to 4.14.15+, for 5.x upgrade to 5.6.17+. Within 30 days: Conduct post-patch validation testing and implement monitoring to detect exploitation attempts targeting this vulnerability.

CVE-2025-32432

Q: Is Craft Cms affected by CVE-2025-32432?

Craft CMS versions 3.0 through 5.6.16 contain a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands on affected servers without requiring user credentials or authentication.

CRITICAL

2025-04-25 [email protected]

GHSA-f3gw-9ww9-jmc3

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Added to CISA KEV

Mar 20, 2026 - 19:14 cisa

CISA KEV

PoC Detected

Mar 20, 2026 - 19:14 vuln.today

Public exploit code

Analysis Generated

Mar 20, 2026 - 16:07 vuln.today

Patch Released

Mar 20, 2026 - 16:07 nvd

Patch available

CVE Published

Apr 25, 2025 - 15:15 nvd

CRITICAL 10.0

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

Analysis

Craft CMS versions 3.x through 5.x contain a critical remote code execution vulnerability (CVSS 10.0) that allows unauthenticated attackers to execute arbitrary code on the server, actively exploited in the wild before patches were released.

Technical Context

The CWE-94 code injection vulnerability allows unauthenticated attackers to inject and execute arbitrary PHP code through the CMS's request handling. The low-complexity attack vector requires no user interaction or authentication.

Affected Products

['Craft CMS 3.0.0-RC1 to 3.9.14', 'Craft CMS 4.0.0-RC1 to 4.14.14', 'Craft CMS 5.0.0-RC1 to 5.6.16']

Remediation

Immediately update to Craft CMS 3.9.15, 4.14.15, or 5.6.17. Review server logs for signs of exploitation, check for web shells, and audit any content modifications made before patching.

Priority Score

199

Low Medium High Critical

KEV: +50

EPSS: +79.0

CVSS: +50

POC: +20

CVE-2025-32432 vulnerability details – vuln.today

Back

CVE-2025-32432

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-32432

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code