Executive Summary
A critical code injection vulnerability (CVE-2025-32432) has been identified in Craft CMS, a widely used PHP-based content management system. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on the server hosting the affected Craft CMS installation.
On March 20, 2026, CISA added CVE-2025-32432 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to remediate the vulnerability by the mandated deadline. All organizations running Craft CMS should treat this as an urgent, high-priority patch.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-32432 |
| CVSS Score | Critical |
| CWE | CWE-94 — Improper Control of Generation of Code (Code Injection) |
| Type | Remote Code Injection / RCE |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Vendor | Craft CMS |
| Product | Craft CMS |
| CISA KEV Added | March 20, 2026 |
| Exploitation Status | Actively exploited in the wild |
Affected Versions
| Product | Affected Versions | Action Required |
|---|---|---|
| Craft CMS | Multiple versions — see vendor advisory | Update immediately |
Administrators should consult the official Craft CMS security advisory and update to the latest patched release without delay.
Technical Analysis
Root Cause
The vulnerability exists in Craft CMS's handling of user-controlled input that is passed into code generation or execution pathways without sufficient validation or sanitization. This is classified as CWE-94 (Code Injection) — a class of vulnerabilities where attacker-supplied data is interpreted and executed as code by the application.
In Craft CMS's case, the flaw allows an unauthenticated attacker to craft a malicious request that causes the server to execute arbitrary PHP or system-level code, resulting in complete server compromise.
Attack Flow
1. Attacker identifies a publicly reachable Craft CMS installation
2. No authentication or valid account is required
3. Attacker crafts a malicious HTTP request containing an injection payload
4. Craft CMS processes the request and passes attacker-controlled data
into a code generation or evaluation routine without proper sanitization
5. The injected code executes in the context of the web server process
6. Attacker achieves arbitrary code execution on the underlying server
7. Post-exploitation: webshell deployment, data exfiltration, lateral movementWhy This Is Critical
| Factor | Impact |
|---|---|
| No authentication required | Any internet-connected Craft CMS instance is a valid target |
| Fully remote exploitation | No physical access or internal network position needed |
| Code execution, not just data access | Attacker gains process-level control of the server |
| CISA KEV confirmed | Active exploitation is occurring — not just theoretical |
| Broad CMS install base | Craft CMS is widely deployed across enterprise, media, and government sites |
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full server compromise via injected code |
| Data Exfiltration | Access to CMS database, uploaded files, and configured credentials |
| Webshell Installation | Persistent backdoor for continued unauthorized access |
| Credential Theft | Database credentials, API keys, and environment secrets exposed |
| Lateral Movement | Compromised server used as pivot to internal network resources |
| Content Manipulation | Defacement, malicious redirects, or SEO spam injection |
| Supply Chain Risk | Sites serving content to end-users can be weaponized for client-side attacks |
Immediate Remediation
Step 1: Update Craft CMS Immediately
Apply the latest Craft CMS security update as published in the official Craft CMS changelog and security advisory:
# Update via Composer (recommended method)
composer update craftcms/cms
# Verify the installed version after update
php craft --versionAlternatively, use the Craft CMS control panel to apply available updates via Utilities > Updates.
Step 2: Verify Your Installation Is Patched
# Check installed Craft CMS version
composer show craftcms/cms | grep versions
# Confirm against the fixed version in the vendor advisoryStep 3: Scan for Indicators of Compromise
# Check for unexpected PHP files in the web root and storage directories
find /path/to/craftcms/ -name "*.php" -newer /path/to/craftcms/composer.json \
-not -path "*/vendor/*" -not -path "*/storage/runtime/*" -type f
# Look for PHP files in upload or storage directories (should not exist)
find /path/to/craftcms/web/uploads/ -name "*.php" -o -name "*.phtml"
find /path/to/craftcms/storage/ -name "*.php" -type f
# Review recent web server access logs for anomalous POST requests
grep -E "POST.*(index\.php|actions/)" /var/log/nginx/access.log | tail -200Step 4: Restrict Access While Patching
If immediate patching is not possible, consider temporarily blocking public access to the Craft CMS control panel and taking the site offline until the patch can be applied:
# Nginx — block Craft CMS admin panel temporarily
location /admin {
deny all;
return 403;
}
location /index.php/actions {
deny all;
return 403;
}Step 5: Harden the Environment Post-Patching
# Ensure PHP execution is blocked in upload directories
# Add to web server config or .htaccess:
# <FilesMatch "\.php$">
# Order Deny,Allow
# Deny from all
# </FilesMatch>
# Regenerate Craft CMS security key
php craft setup/security-key
# Invalidate all active user sessions
php craft users/invalidate-sessionsDetection Indicators
| Indicator | Description |
|---|---|
Unexpected PHP files outside /vendor/ in the Craft root | Webshell installed post-exploitation |
PHP files in /web/uploads/ or /storage/ directories | Post-exploitation persistence |
Anomalous POST requests to index.php or actions/ endpoints | Exploitation attempt |
| Outbound connections from the PHP/web server process | Reverse shell or C2 beaconing |
| New admin or user accounts with recent creation timestamps | Attacker persistence |
| Unexpected cron jobs or scheduled tasks | Persistence mechanism |
| Log entries with unusual encoding or long parameter values | Injection payload in transit |
Post-Remediation Checklist
- Update Craft CMS to the latest patched version
- Verify the updated version matches the fixed release in the vendor advisory
- Audit PHP files across the web root for unexpected additions or modifications
- Review admin user accounts — remove any unauthorized accounts
- Reset all admin passwords and regenerate the Craft security key
- Invalidate all active sessions to force re-authentication of all users
- Scan upload and storage directories for PHP files that should not exist
- Review access logs for POST requests to Craft action endpoints prior to patching
- Deploy a WAF rule to detect and block code injection patterns in HTTP requests
- Enable two-factor authentication on all Craft CMS administrator accounts
- Notify your incident response team if compromise indicators are found
- Monitor for re-exploitation until confirmed patched across all environments