CVE-2025-32432

What is Craft CMS?

Craft CMS is a flexible, powerful content management system used by agencies, enterprises, and publishers worldwide to build websites and digital experiences. It is built on PHP and uses the Yii framework, with Twig for templating. Craft CMS powers a significant portion of custom-built enterprise and media websites — making it a target for attackers seeking to compromise web content delivery, plant malware in websites, or steal data from CMS databases containing customer and editorial information.

Overview

CVE-2025-32432 is a maximum-severity code injection vulnerability (CWE-94, CVSS 10.0) in Craft CMS. An unauthenticated remote attacker can send a specially crafted HTTP request that triggers PHP object instantiation via Craft's deserialization or template rendering pathways, ultimately achieving arbitrary PHP code execution on the server. The Scope:Changed (S:C) rating reflects that exploitation crosses from the CMS application context into the underlying web server OS. CISA added CVE-2025-32432 to the KEV catalog in March 2026 — approximately 11 months after the patch — confirming active exploitation of long-tail unpatched instances.

Affected Versions

Technical Details

The vulnerability (CWE-94: Code Injection) exploits Craft CMS's handling of user-supplied data in request processing. Craft CMS uses PHP's object serialization/deserialization mechanisms internally, and certain code paths process attacker-controlled input in ways that allow PHP class instantiation with attacker-specified properties. By crafting a request with a malicious payload, an attacker can trigger PHP gadget chains present in Craft's dependencies (Yii framework and Composer-installed packages), leading to arbitrary PHP code execution.

The attack vector is unauthenticated and requires only network access to the Craft CMS web application — no account or session is needed. The CVSS Availability:Low rating reflects that exploitation disrupts service only incidentally rather than as the primary impact.

Discovery

Reported through Craft CMS's responsible disclosure program; details per GitHub advisory GHSA-f3gw-9ww9-jmc3.

Exploitation Context

CISA added CVE-2025-32432 to the KEV catalog on 20 March 2026 — approximately 11 months after the patch — alongside companion CVE-2025-54068 (Laravel Livewire). The late KEV addition confirms active exploitation of websites that had not updated Craft CMS over nearly a year. The long-tail exploitation window reflects Craft's diverse deployment across independently managed websites and agencies where update cadences vary widely.

Remediation

1. Upgrade Craft CMS immediately: 3.9.15+ (for 3.x), 4.14.15+ (for 4.x), 5.6.17+ (for 5.x).
2. Verify the installed version: check the Craft CMS control panel footer or composer show craftcms/cms.
3. Audit the web server for unexpected PHP files, webshells, or modified CMS templates.
4. Check Craft CMS logs (storage/logs/) for unusual request patterns, particularly to admin-adjacent endpoints, from unexpected IP addresses.
5. Review database content for unauthorized content modifications or new administrative user accounts.
6. Restrict Craft CMS admin panel access to trusted IP ranges using web server or reverse proxy IP allowlisting.