Craft CMS, a widely used content management system for developers and agencies, has disclosed a critical vulnerability tracked as CVE-2025-32432, affecting multiple major versions. The vulnerability, rated CVSS 10, enables remote code execution (RCE) through a flaw inherited from the Yii PHP framework, and has already been observed under active exploitation in the wild.
The bug stems from an upstream issue in the Yii framework, fixed in Yii 2.0.52. Craft CMS, which depends on Yii, inherited this vulnerability in versions prior to the patched releases: 3.9.15, 4.14.15, and 5.6.17.
Although Craft had already addressed a related issue under CVE-2023-41892, this new discovery warranted a separate fix and advisory.
“This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892,” reads the CVE description.
Craft CMS confirmed exploitation of this vulnerability began shortly after disclosure: “On April 17, 2025, we discovered evidence to suggest the vulnerability was being exploited in the wild.”
In response, banners were deployed to affected admin panels, and emails were sent to all potentially affected license holders with upgrade instructions and temporary mitigations.
Admins can check for probing attempts in their logs: “check your firewall logs or web server logs and find suspicious POST requests to the actions/assets/generate-transform Craft controller endpoint, specifically with the string __class in the body,.”
While such entries indicate scanning, they do not confirm a successful breach.
Craft CMS strongly urges all affected users to update immediately to the patched versions:
If an immediate upgrade isn’t feasible, you can:
- Install the Craft CMS Security Patches library as a temporary workaround.
- Block suspicious POST body requests at the firewall targeting the vulnerable endpoint.
Craft Cloud users benefit from preemptive protection: “We have configured Craft Cloud’s global firewall to block malicious requests targeting this exploit.”
If you believe your site may have been exploited, Craft recommends the following remediation steps:
- Refresh your Craft security key using
php craft setup/security-key - Rotate any stored API keys or environment credentials
- Rotate database credentials
- Force a password reset for all users using:
Related Posts:
???? Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
