What is the CVSS score of CVE-2025-32432?

CVE-2025-32432 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 79.0%.

Which versions of Craft Cms are affected by CVE-2025-32432?

Craft CMS versions 3.0 through 5.6.16 contain a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands on affected servers without requiring…. A patch is available.

Is there a public PoC exploit available for CVE-2025-32432?

Yes, a public proof-of-concept exploit is available for CVE-2025-32432. Prioritise patching immediately. EPSS: 79.0%.

How to fix or mitigate CVE-2025-32432?

Within 24 hours: Identify all Craft CMS instances in your environment and document their current versions (verify against 3.0.0-RC1 through 3.9.14, 4.0.0-RC1 through 4.14.14, and 5.0.0-RC1 through 5.6.16). Within 7 days: Apply vendor-released patches to all affected installations; for Craft CMS 3.x upgrade to 3.9.15+, for 4.x upgrade to 4.14.15+, for 5.x upgrade to 5.6.17+. Within 30 days: Conduct post-patch validation testing and implement monitoring to detect exploitation attempts targeting this vulnerability.

Craft Cms CVE-2025-32432

CRITICAL

Code Injection (CWE-94)

2025-04-25 security-advisories@github.com

GHSA-f3gw-9ww9-jmc3

RCE Craft Cms

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Added to CISA KEV

Mar 20, 2026 - 19:14 cisa

CISA KEV

PoC Detected

Mar 20, 2026 - 19:14 vuln.today

Public exploit code

Analysis Generated

Mar 20, 2026 - 16:07 vuln.today

Patch released

Mar 20, 2026 - 16:07 nvd

Patch available

CVE Published

Apr 25, 2025 - 15:15 nvd

CRITICAL 10.0

DescriptionNVD

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

AnalysisAI

Craft CMS versions 3.x through 5.x contain a critical remote code execution vulnerability (CVSS 10.0) that allows unauthenticated attackers to execute arbitrary code on the server, actively exploited in the wild before patches were released.

Technical ContextAI

The CWE-94 code injection vulnerability allows unauthenticated attackers to inject and execute arbitrary PHP code through the CMS's request handling. The low-complexity attack vector requires no user interaction or authentication.

RemediationAI

Immediately update to Craft CMS 3.9.15, 4.14.15, or 5.6.17. Review server logs for signs of exploitation, check for web shells, and audit any content modifications made before patching.

CVE-2025-32432 vulnerability details – vuln.today

Back