CVE-2025-32432 is a CVSS 10.0 unauthenticated remote code execution vulnerability in Craft CMS, affecting all major version lines from 3.x through 5.x. Attackers exploit an insecure PHP object deserialization path in the image transformation endpoint, requiring no credentials and no user interaction. Active exploitation began in February 2025 and CISA added this to the KEV catalog on March 20, 2026 with a federal remediation deadline of April 3.
CVE-2025-32432 is a critical unauthenticated remote code execution vulnerability in Craft CMS, a widely used PHP-based content management system built on the Yii framework. The vulnerability was discovered by the Ethical Hacking team at Orange Cyberdefense during a forensic investigation into a compromised web server in mid-February 2025. Their CSIRT team traced an active intrusion back to exploitation of this flaw, which led to the coordinated discovery and disclosure of both CVE-2025-32432 and a related Yii framework vulnerability, CVE-2024-58136.
Craft CMS published fixes on April 10, 2025 across all supported major version lines (3.9.15, 4.14.15, and 5.6.17). The vulnerability was formally published to NVD on April 25, 2025. Despite being patched nearly a year before this writing, CISA added CVE-2025-32432 to the Known Exploited Vulnerabilities catalog on March 20, 2026, confirming that exploitation of unpatched instances remains active in the wild and has expanded to the point of warranting a federal remediation mandate with a deadline of April 3, 2026.
The vulnerability affects Craft CMS 3.0.0 through 3.9.14, 4.0.0 through 4.14.14, and 5.0.0 through 5.6.16 — effectively every version of every major release line for the past several years. Given that Craft CMS powers a significant number of high-profile digital publishing, agency, and enterprise websites, the exposure surface is substantial.
The root cause is PHP object deserialization of attacker-controlled input in the image asset transformation endpoint at /index.php?p=admin/actions/assets/generate-transform. This endpoint is accessible without authentication, and in versions 4.x and 5.x, the asset ID validation check occurs after the transformation object is instantiated — meaning the deserialization of attacker-supplied data in the request body occurs before any ownership or access check is enforced.
The exploit proceeds in three stages documented by Orange Cyberdefense's investigation of a real intrusion:
Stage 1 — Asset ID enumeration. The attacker sends sequential POST requests to the transform endpoint with incrementing assetId values. A 404 response indicates no such asset exists; a 302 redirect confirms the asset ID is valid. This enumeration is trivially automated and typically resolves a valid ID within seconds.
Stage 2 — Deserialization probe. With a valid asset ID, the attacker sends a crafted POST body containing a nested JSON structure that exploits the Yii framework's property injection mechanism. The handle field, which is expected to contain image transform parameters (width, height), is instead given an as session or similar sub-key containing a PHP class path and constructor arguments. The server deserializes this structure directly. A probe payload referencing phpinfo can confirm whether the target is vulnerable.
Stage 3 — Payload delivery via PHP session file injection. The attacker first sends a GET request to a Craft admin URL with PHP code embedded in a query parameter (e.g., file_put_contents("filemanager.php", file_get_contents(...))) while unauthenticated. Craft CMS writes the return URL — including the PHP code — into a PHP session file on disk (typically under /var/lib/php/sessions/). The attacker then uses the deserialization gadget chain to invoke Yii's PhpManager class with the session file path as the itemFile argument, causing the PHP engine to include the session file and execute the embedded code.
The result: an unauthenticated attacker drops a PHP web shell (in the documented incident, a publicly available file manager) onto the server with no credentials, no prior access, and no user interaction required.
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Weakness classification: CWE-94 (Improper Control of Generation of Code). The underlying Yii framework flaw that enables the gadget chain is tracked separately as CVE-2024-58136.
Active exploitation was first observed on February 10, 2025, according to Orange Cyberdefense's forensic timeline. The threat actor responsible for the February 2025 campaign operated from IP address 103.106.66.123, used Python's requests library for enumeration, and pivoted to a second IP (172.86.113.137) for the PHP injection step. Post-exploitation involved deploying a PHP file manager from a public GitHub repository to establish persistent web shell access.
CISA's KEV addition on March 20, 2026 — nearly eleven months after the patch — indicates that exploitation did not die down after the April 2025 fixes. A substantial population of unpatched Craft CMS installations remains reachable on the internet, and automated exploitation tooling has been available since the vulnerability was publicly documented.
No specific named threat actor group or nation-state has been publicly attributed to the ongoing exploitation campaigns as of this writing. The February 2025 campaign displayed characteristics consistent with opportunistic cybercrime (commodity file manager, public tooling, automated scanning), but the continued KEV addition implies that exploitation volume is high enough to affect federal environments or their supply chains.
Orange Cyberdefense assessed that multiple Craft CMS installations were compromised in the February 2025 campaign, though exact victim counts have not been publicly disclosed.
Craft CMS occupies an interesting position in the CMS ecosystem. It is not WordPress — it does not have WordPress's mass-market ubiquity — but it is the CMS of choice for agencies, publishers, and organizations that consider themselves too sophisticated for off-the-shelf solutions. That population tends to have less aggressive patch management than enterprise software shops because they often rely on web development agencies for maintenance, and CMS updates on production sites are treated with caution to avoid breaking customizations.
This creates a long tail of vulnerable installations. The CVE was patched in April 2025. CISA is adding it to KEV in March 2026. That eleven-month gap tells a story: enough sites remained unpatched for long enough that threat actors found them worth actively targeting a year later.
The exploit mechanics are also worth understanding for what they reveal about modern PHP application security. The attack does not rely on a buffer overflow, a memory corruption bug, or any low-level vulnerability. It exploits the combination of two architectural decisions: a framework that allows property injection during object construction, and an application that passes attacker-controlled data to that deserialization path before performing access checks. This class of vulnerability is repeatable across any PHP framework that uses magic methods or configurable constructors as the foundation of its serialization layer. CVE-2024-58136 (the Yii framework component) is the upstream root cause; CVE-2025-32432 is the Craft CMS manifestation.
Finally, this CVE is a reminder that the security of a CMS is a function of its entire dependency graph, not just the application code. Craft CMS's exposure here was inherited from Yii's deserialization behavior. Organizations running Craft CMS should treat framework-level vulnerabilities in their CMS's dependencies as first-party concerns.
Upgrade to one of the following patched versions, released April 10, 2025:
If immediate upgrade is not possible:
/index.php?p=admin/actions/assets/generate-transform at the web server or WAF layergenerate-transform endpoint with unusual JSON body structures, particularly bodies containing class, __class, or __construct() keys/var/lib/php/sessions/ for session files containing PHP codeUrgency: High. Federal deadline is April 3, 2026. For non-federal organizations with internet-facing Craft CMS installations, treat this as an immediate patching priority. The exploit is publicly documented, tooling exists, and active scanning is confirmed.
Powered by RiskScore — https://api.riskscore.dev