CVE-2025-32432

CRITICAL KEV NUCLEI

CraftCMS - Remote Code Execution

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2025-32432 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 20, 2026. EIP tracks 9 public exploits from researchers including banyamer, Sachinart, Chocapikk, including a Metasploit module exploits/linux/http/craftcms_preauth_rce_cve_2025_32432. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a pre-authentication RCE in Craft CMS by leveraging a Yii deserialization gadget chain (FieldLayoutBehavior → PhpManager) and PHP session poisoning. It brute-forces an Asset ID, injects malicious PHP code into a session file, and triggers deserialization to execute arbitrary commands.

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

Exploits (9)

exploitdb WORKING POC
by banyamer · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52525

This exploit demonstrates a pre-authentication RCE in Craft CMS by leveraging a Yii deserialization gadget chain (FieldLayoutBehavior → PhpManager) and PHP session poisoning. It brute-forces an Asset ID, injects malicious PHP code into a session file, and triggers deserialization to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS <= 3.9.14, <= 4.14.14, <= 5.6.16
No auth needed
Prerequisites: PHP session file write access · valid Asset ID (brute-forced or known)
devstral-2 · analyzed Apr 30, 2026 Full analysis →
nomisec WORKING POC 24 stars
by Sachinart · remote
https://github.com/Sachinart/CVE-2025-32432

This repository contains a functional PoC exploit for CVE-2025-32432, a pre-authentication RCE vulnerability in CraftCMS 4.x and 5.x. The exploit leverages PHP object injection via the asset transform generation feature to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CraftCMS 4.x and 5.x
No auth needed
Prerequisites: Access to the CraftCMS admin dashboard endpoint · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 10 stars
by Chocapikk · remote
https://github.com/Chocapikk/CVE-2025-32432

This repository contains a Go-based scanner for CVE-2025-32432, which checks for a deserialization vulnerability in Craft CMS. The tool sends a crafted payload to the target URL and checks for the presence of 'PHP Credits' in the response to determine vulnerability.

Classification
Scanner 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS
Auth required
Prerequisites: Access to the admin dashboard · Valid CSRF token
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by bambooqj · remote
https://github.com/bambooqj/CVE-2025-32432

This is a functional exploit for CVE-2025-32432 targeting CraftCMS, leveraging session injection and deserialization to achieve remote code execution. The PoC includes multiple injection methods and enhanced detection for phpinfo disclosure and command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CraftCMS (version not specified)
No auth needed
Prerequisites: Target CraftCMS instance with vulnerable endpoint accessible · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by cd-ratel · remote
https://github.com/cd-ratel/CVE-2025-32432

This repository contains a functional exploit for CVE-2025-32432, an unauthenticated remote code execution vulnerability in Craft CMS. The exploit leverages a gadget chain involving Yii2's PhpManager and nginx log poisoning to achieve RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS (versions <= 5.6.16, <= 4.15.2, <= 3.9.14)
No auth needed
Prerequisites: Network reachability to the target HTTP(S) endpoint · A valid Craft assetId on the target
devstral-2 · analyzed May 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by CTY-Research-1 · poc
https://github.com/CTY-Research-1/CVE-2025-32432-PoC

This repository contains two Python scripts for exploiting CVE-2025-32432, a pre-authentication RCE vulnerability in CraftCMS. The scripts leverage session poisoning and deserialization gadgets to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CraftCMS < 3.9.15, < 4.14.15, < 5.6.17
No auth needed
Prerequisites: Target running vulnerable CraftCMS version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by TheMursalin · pythonremote
https://github.com/TheMursalin/CVE-2025-32432

This repository contains a functional Python exploit for CVE-2025-32432, a pre-authentication RCE vulnerability in Craft CMS. The exploit chains session poisoning with a Yii deserialization gadget to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS (versions ≤ 3.9.14, ≤ 4.14.14, ≤ 5.6.16)
No auth needed
Prerequisites: Python 3.7+ · requests library · urllib3 library · valid target URL · optional known Asset ID
devstral-2 · analyzed Apr 30, 2026 Full analysis →
github WORKING POC
by Acczdy · pythonpoc
https://github.com/Acczdy/CVE-Vault/tree/master/CVE-2025-32432

This repository contains a functional Python-based proof-of-concept exploit for CVE-2025-32432, a critical deserialization vulnerability in Craft CMS that allows unauthenticated remote code execution via the generate-transform endpoint. The script includes target validation, version detection, and exploit logic.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS 3.0.0-RC1 to 3.9.15, 4.0.0-RC1 to 4.14.15, 5.0.0-RC1 to 5.6.17
No auth needed
Prerequisites: Target must be running a vulnerable version of Craft CMS · Network access to the target
devstral-2 · analyzed Mar 08, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Nicolas Bourras (Orange Cyberdefense), Valentin Lobstein · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb

This Metasploit module exploits an unauthenticated RCE in Craft CMS via the image transform endpoint by injecting a PHP payload into the session and triggering execution through a Yii gadget chain.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS versions 3.x, 4.x, and 5.x < 5.6.17
No auth needed
Prerequisites: Network access to the target Craft CMS instance · Valid asset ID for the image transform endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

CraftCMS - Remote Code Execution
CRITICALby iamnoooob,rootxharsh,pdresearch
Shodan: http.component:"Craft CMS"

References (7)

Core 7
Core References

Scores

CVSS v3 10.0
EPSS 0.9309
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-03-20
VulnCheck KEV 2025-04-18
ENISA EUVD EUVD-2025-12521
CWE
CWE-94
Status published
Products (5)
craftcms/cms 3.0.0-RC1 - 3.9.15Packagist
craftcms/cms >= 3.0.0-RC1, < 3.9.15
craftcms/cms >= 4.0.0-RC1, < 4.14.15
craftcms/cms >= 5.0.0-RC1, < 5.6.17
craftcms/craft_cms 3.0.0 - 3.9.15
Published Apr 25, 2025
KEV Added Mar 20, 2026
Tracked Since Feb 18, 2026