CVE-2025-32432 is a critical code injection vulnerability in Craft CMS that allows remote code execution. It affects Craft CMS from 3.0.0-RC1 before 3.9.15, 4.0.0-RC1 before 4.14.15, and 5.0.0-RC1 before 5.6.17. The flaw is associated with Craft CMS’s image transformation functionality and can be reached through the assets generate-transform action. Available reporting indicates exploitation can be performed pre-authentication by sending a crafted POST request to the generate-transform endpoint. Technical discussion around detection and exploitation indicates the vulnerable path processes attacker-controlled object data during transformation handling, and successful exploitation across versions requires a valid asset identifier. The issue was released as an additional fix for CVE-2023-41892.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
7 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
Repository is a small Python PoC set for CVE-2025-32432 affecting Craft CMS. It contains two executable scripts and minimal supporting files (README, LICENSE, requirements, .gitignore). `craftcms_rce_php_check.py` is a threaded scanner/checker that accepts a single URL or a file of URLs, detects Craft CMS version, extracts a CSRF token from the admin dashboard, and sends a crafted JSON payload to `/index.php?p=admin/actions/assets/generate-transform` to invoke `phpinfo()` through gadget/object abuse. If successful, it marks the target vulnerable and extracts useful environment details such as `CRAFT_DB_DATABASE` and the HOME directory, saving results to `vulnerable.txt`. `craftcms_final_payload.py` is the actual exploitation script: it detects version, brute-forces a valid `assetId` if one is not supplied, injects PHP code `<?=exec($_GET['cmd']);die();?>` into session-backed state via a crafted request to `/index.php` with `p=admin/dashboard`, extracts `CRAFT_CSRF_TOKEN` and `CraftSessionId`, then triggers the vulnerable asset transform action at `/index.php?p=actions/assets/generate-transform` with a malicious object structure referencing `/tmp/sess_<session_id>`. This yields arbitrary command execution with command output parsed from the HTTP response. Overall, the repository’s purpose is both vulnerability validation and practical RCE exploitation against vulnerable Craft CMS 3.x/4.x/5.x instances.
Small standalone Python exploit repository for CVE-2025-32432 targeting Craft CMS. The repo contains one main code file (exploit.py), a detailed README, requirements.txt, and license metadata. The exploit is not framework-based. Core capability: unauthenticated RCE against vulnerable Craft CMS by abusing the anonymous /actions/assets/generate-transform endpoint. The script obtains a CSRF token from /actions/users/session-info, poisons a server-side file (default nginx access.log) by sending PHP in the User-Agent header, then POSTs crafted handle[...] parameters so Craft/Yii instantiates yii\rbac\PhpManager with itemFile pointing to the poisoned file. Because PhpManager ultimately require()s itemFile, the injected PHP executes on the server. Operational flow in exploit.py: initialize a requests session with TLS verification disabled; optionally perform a lab-specific PATCH /login to obtain a coopsess cookie; fetch CSRF token; poison the log via GET /; trigger the vulnerable endpoint via POST /actions/assets/generate-transform; parse returned output; and optionally support reverse-shell execution with a locally spawned nc/ncat listener. The README also documents alternate itemFile paths and a more persistent header-driven PHP webshell concept. Notable targeting details: requires a reachable Craft CMS instance, a valid assetId, and a writable/parsable sink such as /var/log/nginx/access.log. The README states affected versions as Craft CMS <= 5.6.16, <= 4.15.2, <= 3.9.14, and Yii2 <= 2.0.49, with fixes in Craft 5.6.17+ and Yii2 2.0.50. Overall, this is a real operational PoC with built-in command execution and reverse-shell support rather than a mere detector.
This repository is a small standalone Python exploit for CVE-2025-32432, a pre-authentication remote code execution vulnerability in Craft CMS. It contains two files: a README describing the vulnerability, affected versions, and usage, and exploit.py, the actual exploit implementation. No external framework such as Metasploit or Nuclei is used. The exploit is operational and performs a full attack chain against a remote Craft CMS target. First, it establishes a session by requesting /index.php and extracting the PHPSESSID cookie. Second, if the operator does not provide a known asset ID, it brute-forces one by POSTing crafted JSON to /actions/assets/generate-transform and treating any non-404 response as a likely valid assetId. Third, it poisons the PHP session by sending a GET request to /index.php with query parameters including attacker-controlled PHP code in parameter a, relying on the vulnerable routing/session behavior to write raw input into /tmp/sess_<PHPSESSID>. Finally, it triggers deserialization by POSTing another crafted JSON object to /actions/assets/generate-transform, abusing the craft\\behaviors\\FieldLayoutBehavior -> yii\\rbac\\PhpManager gadget chain so itemFile points to the poisoned session file. When included, the injected PHP executes system('<command>'). Main exploit capabilities: unauthenticated remote command execution, optional asset ID brute-forcing, session establishment and cookie harvesting, session poisoning, and retrieval/display of server response content. The payload is basic but functional: arbitrary shell command execution through PHP's system() call. The script supports operator-supplied target URL, command, optional asset ID, brute-force range, timeout, and verbose logging. Fingerprintable targets and artifacts in code include the Craft CMS routes /index.php and /actions/assets/generate-transform, the PHP session cookie PHPSESSID, and the local server file path /tmp/sess_<PHPSESSID>. The exploit specifically targets Craft CMS versions 3.9.14 and earlier, 4.14.14 and earlier, and 5.6.16 and earlier, as stated in the repository.
This repository contains a fully functional exploit for CVE-2025-32432, a critical pre-authentication remote code execution (RCE) vulnerability in Craft CMS versions 3.x, 4.x, and 5.x prior to their respective patched releases. The exploit is implemented in Python (CVE-2025-32432.py) and automates the attack by first extracting a CSRF token from the admin dashboard, then sending a specially crafted JSON payload to the /index.php?p=admin/actions/assets/generate-transform endpoint. This payload leverages PHP object deserialization to execute arbitrary PHP code (demonstrated with phpinfo). The script supports both single and multiple target modes, uses threading for efficiency, and writes results to a file. The README.md provides detailed vulnerability, exploitation, and mitigation information. The exploit is operational and can be used to verify and demonstrate RCE on vulnerable Craft CMS instances.
This repository provides a comprehensive and operational exploit toolkit for CVE-2025-32432, a critical remote code execution (RCE) and information disclosure vulnerability in CraftCMS. The main exploit script (CVE-2025-32432.py) implements multiple session injection techniques by abusing the 'returnUrl' and 'a' parameters on various admin endpoints to inject PHP code into the session file. It then discovers a valid asset ID and crafts JSON payloads to trigger either information disclosure (via GuzzleHttp\Psr7\FnStream and phpinfo()) or RCE (via yii\rbac\PhpManager loading the session file). The exploit is highly automated, with robust output parsing, error handling, and debug options. An additional script (automated_testing.py) enables concurrent testing of multiple targets and saves results in JSON format. The repository includes detailed documentation (README.md, USAGE.md, exploit_summary.md) outlining usage, technical details, and mitigation advice. The exploit targets CraftCMS versions prior to 3.9.15, 4.14.15, and 5.6.17, and requires the ability to write and read PHP session files on the server. The attack vector is network-based, targeting exposed CraftCMS admin endpoints. Key fingerprintable endpoints include various admin URLs and the PHP session file path. The exploit is not a framework module but is mature and operational, providing both RCE and information disclosure capabilities.
This repository provides two Python scripts for exploiting CVE-2025-32432, a pre-authentication remote code execution vulnerability in CraftCMS versions 3.x, 4.x, and 5.x. The exploit leverages a two-step attack chain: first, it injects arbitrary PHP code into a session file via a GET request to the admin dashboard endpoint; second, it uses a POST request to the asset-transform endpoint with a crafted deserialization gadget to require and execute the session file, resulting in arbitrary command execution. The main script, 'craftcms_final_payload.py', automates this process, including brute-forcing the required assetId if not provided. The secondary script, 'craftcms_rce_php_check.py', is a low-impact probe that checks for exploitability by attempting to execute phpinfo(). The repository is well-documented, includes installation and usage instructions, and targets unauthenticated attackers over HTTP/HTTPS. The exploit is operational, providing a working payload for arbitrary shell command execution on vulnerable CraftCMS instances.
This repository contains a proof-of-concept (PoC) exploit for CVE-2025-32432, a pre-authentication remote code execution (RCE) vulnerability in CraftCMS versions 4.x and 5.x. The exploit is implemented in a single Python script, 'craftcms_rce.py', which automates the process of detecting and exploiting the vulnerability. The script works by first retrieving a CSRF token from the CraftCMS admin dashboard, then sending a specially crafted JSON payload to the asset transform generation endpoint. This payload leverages PHP object injection to trigger code execution via the 'GuzzleHttp\Psr7\FnStream' class, with the default action being execution of 'phpinfo()' to verify exploitation. The script supports both single and multiple target modes, multi-threaded scanning, and outputs results to both the console and a CSV file ('vulnerable.txt'). The exploit extracts and reports sensitive information such as the database name and home directory from the target upon successful exploitation. The repository is well-documented, with a detailed README explaining usage, technical details, and output format. No hardcoded IPs or domains are present; the script takes user-supplied targets as input.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
100 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Vulnerability in Craft CMS listed by the alert as being exploited in a large-scale CMS exploitation campaign.
A publicly known and patched vulnerability affecting Craft CMS that is being exploited in a large-scale CMS campaign to deploy webshells.
A vulnerability affecting Craft CMS, mentioned as part of a broader ACSC list of CMS/plugin vulnerabilities targeted in a global exploitation campaign.
A vulnerability in Craft CMS listed by ACSC as exploited in a global CMS webshell deployment campaign.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.