Craft CMS - RCE (CVE-2025-32432)
108Exploiting IPs reported
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
CrowdSec analysis
CVE-2025-32432 is a critical vulnerability affecting Craft CMS, enabling remote code execution through specially crafted requests to the asset generation functionality within the admin panel.
CrowdSec has been tracking this vulnerability and its exploits since 20th of May 2025.
CrowdSec network data shows that most actors exploiting CVE-2025-32432 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. CrowdSec network telemetry also shows that exploitation of CVE-2025-32432 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.
Exploitation attempts are typically associated with requests to URLs containing /index.php?p=admin/actions/assets/generate-transform.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.