[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2025-32432: Craft CMS Code Injection Vulnerability

[ESO_SOC * DAS]

Good morning,
The SOC Services team is reporting on the vulnerability: CVE-2025-32432 affecting Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Because public disclosure of a high-impact privilege escalation vulnerability with proof-of-concept availability, we are providing this in-depth information.
History: On April 7, 2025, Craft CMS receives a report detailing a dependency issue in the Yii framework, related to pre-authenticated code injection. NVD published the CVE on 4/25/2025 and last modified on 3/20/2026. A CVSS v3.x base score is 10.0 (Critical) was assigned by NIST.
Affected Versions

  *   Version 3.0.0-RC1 to 3.9.14
  *   Version 4.0.0-RC1 to 4.14.14
  *   Version 5.0.0-RC1 to 5.6.6
Fixed Versions

  *   Version 3.9.15
  *   Version 4.14.15
  *   Version 5.6.17
The vendor has provided a knowledge base article regarding this vulnerability and is posted on their website
Vendor Advisory:  Craft CMS and CVE-2025-32432<https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432>
Intelligence: On March 19, 2026, CISA has listed the vulnerability in the Known Exploited Vulnerabilities Catalog.
Exploitability Level: Low Complexity, Network Exploitability
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Yes
Zero Day: Yes
Workarounds:

  *   Block suspicious POST requests to the 'actions/assets/generate-transform' endpoint at the firewall.
  *   Install the Craft CMS Security Patches library as a temporary workaround for those unable to update.
How it Works: Craft CMS mistakenly allows untrusted JSON/array data to be passed directly to createObject() via the AssetsController::actionGenerateTransform endpoint. This leads to a classic object injection vulnerability—essentially an “insecure deserialization” problem in the Yii2 DI container
Post-Exploit Impact:

  *   CWE‑94: Improper Control of Generation of Code (‘Code Injection’)
Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Log Artifact
/index.php?p=admin/actions/assets/generate-transform containing __class, as session, or as hack.
Malicious IP
103.106.66.123
172.86.113.137 and 104.161.32.11
Used to probe asset IDs and test exploitability via python-requests/2.27.1
Used to download and delete the filemanager.php backdoor
Tenable Plugins:
Plugin ID
Plugin Title
Severity
Platform
114786
CraftCMS 3.x < 3.9.15 / 4.x < 4.14.15 / 5.x < 5.6.17 Remote Code Execution
Critical
Web Application Scanning
Recommended Actions:
Date Added to KEV Catalog: 03/19/2026
Due Date for Remediation: 04/03/2026

  *   Update to Craft CMS versions 3.9.15, 4.14.15, or 5.6.17 to vulnerable systems after testing
  *   Investigate for signs of compromise by reviewing web server logs for suspicious POST requests to the 'actions/assets/generate-transform' endpoint and checking for malicious files such as 'filemanager.php' or 'autoload_classmap.php' on the filesystem
  *   If compromise is suspected, refresh the security key, rotate private keys and database credentials, and force a password reset for all users
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DCB850.45C14220]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260320/ff7b2547/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260320/ff7b2547/attachment-0001.png>