CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-32432

CVSS 10.0v3.1pub. 2025-04-25upd. 2026-03-20

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-94 (code injection) allows an unauthenticated attacker to remotely execute arbitrary code on the server hosting Craft CMS. The attack is characterized by low complexity and requires no user interaction or possession of an account in the system. This is an additional patch for the previously reported CVE-2023-41892 vulnerability, indicating incomplete removal of the original attack vector.

Impact

Attackers can remotely execute arbitrary code on the server, which in practice means complete takeover of the application and potentially the entire system, data theft, backdoor installation, or further lateral movement in the network.

Mitigation & patch

Craft CMS must be immediately updated to version 3.9.15, 4.14.15, or 5.6.17 (released 2025-04-10). Due to active exploitation in production environments, the update should be treated as urgent and performed immediately.

Who is affected

Craft CMS in versions: 3.0.0-RC1 through before 3.9.15, 4.0.0-RC1 through before 4.14.15, and 5.0.0-RC1 through before 5.6.17

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
  • Craftcms Craft Cms

    APP
    Craftcms
    3.0.0 – 3.9.15 (bez)4.0.0 – 4.14.15 (bez)5.0.0 – 5.6.17 (bez)

CISA KEV — detailsi

Vendori
Craft CMS
Producti
Craft CMS
Added to KEVi
March 20, 2026
Remediation deadline (US Federal)i
April 3, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 kwietnia 2026
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-56145CRITICAL9.3⚠ KEVPL ✓ten sam produkt

RCE w Craft CMS przez nieprawidłową konfigurację register_argc_argv

CVE-2026-28697CRITICAL9.4PL ✓ten sam produkt

Craft CMS: RCE przez SSTI w polach szablonów Twig

CVE-2026-28783CRITICAL9.4PL ✓ten sam produkt

Craft CMS: obejście bloklisty PHP w silniku Twig umożliwia RCE

CVE-2024-37843CRITICAL9.8PL ✓ten sam produkt

SQL injection w Craft CMS przez endpoint GraphQL API

CVE-2023-41892CRITICAL10.0ten sam produkt

Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector....