CVE-2025-32432

Name: CVE-2025-32432
Creator: NVD / NIST
Published: 2025-04-25T15:15:36.44+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 10/10Actively ExploitedEPSS 99.80%

Last modified Jun 17, 2026

CVE-2025-32432 is a critical-severity vulnerability rated 10/10 on the CVSS scale. Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.80% chance of exploitation in the next 30 days.

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

Metrics

CVSS 3.1

10/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

99.80%

100.0th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Apr 3, 2026.

Weakness Enumeration

CWE-94

Affected Software

Vendor	Product	Versions
Craftcms	Craft Cms	>= 3.0.0, < 3.9.15
Craftcms	Craft Cms	>= 4.0.0, < 4.14.15
Craftcms	Craft Cms	>= 5.0.0, < 5.6.17

References

https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-criticalProduct, Release Notes
https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-criticalProduct, Release Notes
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-criticalProduct, Release Notes
https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47Patch
https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3Vendor Advisory
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/Exploit, Press/Media Coverage
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432US Government Resource

Timeline

Published: Apr 25, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-32432?

How severe is CVE-2025-32432?

CVE-2025-32432 has a CVSS score of 10/10 (CRITICAL severity). The EPSS model estimates a 99.80% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2025-32432?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-32432?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST