CISA Warns of Craft CMS Code Injection Flaw Exploited in Active Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability affecting Craft CMS to its Known Exploited Vulnerabilities (KEV) catalog.
Tracked as CVE-2025-32432, this code injection flaw is currently being exploited in active attacks across the wild.
Organizations utilizing this content management system are urged to apply mitigations immediately to prevent potential system compromises.
Discovered during an incident response investigation, CVE-2025-32432 carries a maximum CVSS v3.1 severity score of 10.0, marking it as a critical threat.
The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected servers.
This high-impact, low-complexity attack vector affects multiple major versions of Craft CMS, specifically spanning the 3.x, 4.x, and 5.x release branches.
The root cause stems from the improper handling of untrusted input, classified under CWE-94 as the improper control of code generation.
From a technical perspective, the vulnerability exploits an insecure deserialization issue within the asset transform generation feature of Craft CMS. Attackers can exploit this by injecting a custom PHP object that the application unsafely deserializes. The exploitation chain involves planting a malicious PHP payload into a session file via a crafted URL request. Next, the attacker abuses the Yii framework behavior gadget chain, targeting the PhpManager component on the generate-transform endpoint. By utilizing an object injection technique, the attacker forces the application to process the poisoned file, which executes the injected code and grants full remote code execution capabilities.
It remains unknown whether ransomware groups are currently utilizing this vulnerability in extortion campaigns. However, the pre-authentication nature of the flaw and the availability of proof-of-concept exploits make it an attractive target for threat actors.
Defenders should actively monitor environments for unauthorized webshell deployments or suspicious reverse shell connections, which are common post-exploitation activities following a successful compromise.
To mitigate this severe threat, the developers have released security updates addressing the insecure deserialization flaw.
The vulnerability impacts Craft CMS versions ranging from 3.0.0 through 3.9.14, 4.0.0 through 4.14.14, and 5.0.0 through 5.6.16.
Administrators must urgently upgrade installations to the patched versions, which include releases 3.9.15, 4.14.15, and 5.6.17.
These updates also serve as an additional fix for a previously documented vulnerability tracked as CVE-2023-41892.
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies are mandated to secure their networks against this specific threat.
CISA officially added this vulnerability to the KEV catalog on March 20, 2026, and set a strict remediation deadline of April 3, 2026.
All organizations should use the KEV catalog for vulnerability management prioritization. Administrators must apply vendor patches, follow cloud service guidance, or discontinue product use if immediate mitigations are unavailable.