Full Report
Craft CMS security advisory (AV25-300) – Update 1
Analysis Summary
# Vulnerability: Craft CMS Remote Code Execution (RCE) via Unsafe File Upload
## CVE Details
- **CVE ID:** CVE-2025-32432
- **CVSS Score:** 9.8 (Critical) (Estimated based on CISA KEV inclusion and impact)
- **CWE:** CWE-434: Unrestricted Upload of File with Dangerous Type
## Affected Systems
- **Products:** Craft CMS
- **Versions:**
- Versions prior to 3.9.15
- Versions prior to 4.14.15
- Versions prior to 5.6.17
- **Configurations:** Systems where authenticated users have permissions to upload files, or where publicly accessible upload forms are misconfigured.
## Vulnerability Description
CVE-2025-32432 is a critical vulnerability involving the bypass of file upload restrictions. The flaw allows an attacker to upload malicious scripts (such as PHP shells) to the web server. Because Craft CMS is built on PHP, the execution of these uploaded files leads to Remote Code Execution (RCE), allowing the attacker to gain full control over the underlying server environment.
## Exploitation
- **Status:** **Exploited in the wild.** Included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog as of March 2026.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Total access to database and system files)
- **Integrity:** High (Ability to modify site content and system configurations)
- **Availability:** High (Potential for site takeover or ransomware deployment)
## Remediation
### Patches
The vendor has released patches for all supported major branches. Administrators should update to at least the following versions:
- Craft CMS **3.9.15**
- Craft CMS **4.14.15**
- Craft CMS **5.6.17**
### Workarounds
- Review and restrict "Upload" permissions for all user groups.
- Externalize asset storage (e.g., using Amazon S3 or Google Cloud Storage) to prevent script execution on the local web server.
- Implement a Web Application Firewall (WAF) to filter common web shell signatures and suspicious file uploads.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected PHP files in the `web/assets` or `storage` directories.
- Unusual web server logs showing POST requests to upload endpoints followed by GET requests to newly created files in static directories.
- **Detection Methods:**
- Audit Craft CMS user accounts for unauthorized administrative privileges.
- Monitor for processes spawned by the web server user (e.g., `www-data`) that initiate outbound network connections.
## References
- Craft CMS Advisory: [hxxps://craftcms[.]com/knowledge-base/craft-cms-cve-2025-32432]
- Craft Security Articles: [hxxps://craftcms[.]com/knowledge-base/security]
- CISA KEV Catalog: [hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432]
- Canadian Centre for Cyber Security (AV25-300): [hxxps://www[.]cyber[.]gc[.]ca/en/alerts-advisories/craft-cms-security-advisory-av25-300]