Craft CMS - RCE (CVE-2025-32432)
63Exploiting IPs reported
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
CrowdSec analysis
CVE-2025-32432 is a critical vulnerability affecting Craft CMS, enabling remote code execution through specially crafted requests to the asset generation functionality within the admin panel.
CrowdSec has been tracking this vulnerability and its exploits since 20th of May 2025.
Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-32432 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-32432 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-32432 is currently experiencing high visibility and active exploitation across the internet.
Exploitation attempts are typically associated with requests to URLs containing /index.php?p=admin/actions/assets/generate-transform.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.