πŸ’» AppSec

Craft CMS CVSS 10 Code Injection CVE-2025-32432 Added to CISA KEV

CISA added CVE-2025-32432, a maximum-severity code injection vulnerability in Craft CMS, to its Known Exploited Vulnerabilities catalogue on 20 March 2026. The flaw allows unauthenticated remote attackers to execute arbitrary code on any publicly accessible Craft CMS installation. Exploitation has been ongoing since at least February 2025 and the Mimo threat actor has been actively using it to deploy cryptocurrency miners and residential proxy malware.

4 min read
#craft-cms#rce#unauthenticated#code-injection#cisa-kev#cve-2025-32432#cms#web-application#mimo

The Vulnerability

CVE-2025-32432 is a critical code injection vulnerability in Craft CMS, a widely-used PHP-based content management system deployed across enterprise, media, government, and educational websites. The flaw carries a CVSS score of 10.0 β€” the maximum possible rating.

The vulnerability is classified as CWE-94 (Improper Control of Code Generation) and allows remote, unauthenticated attackers to execute arbitrary PHP code on vulnerable servers. The flaw was introduced in Craft CMS version 3.0.0-RC1 and affects the platform across multiple major version lines β€” making this a systemic vulnerability rather than a narrow edge case.

CISA added CVE-2025-32432 to its Known Exploited Vulnerabilities catalogue on 20 March 2026, alongside the DarkSword Apple chain, with a federal patch deadline of 3 April 2026.

Affected Versions

  • Craft CMS 3.0.0-RC1 through 3.9.14 β€” fix in 3.9.15
  • Craft CMS 4.0.0-RC1 through 4.14.14 β€” fix in 4.14.15
  • Craft CMS 5.0.0-RC1 through 5.6.16 β€” fix in 5.6.17

Any Craft CMS installation running a version below these thresholds on a publicly accessible server is exploitable without any authentication.

Exploitation History

Orange Cyberdefense SensePost researchers assessed that CVE-2025-32432 was exploited as a zero-day since approximately February 2025 β€” more than a year before CISA’s KEV addition. During that period, the vulnerability was used by threat actors operating quietly before public disclosure.

Following public disclosure, the Mimo intrusion set (also tracked as Hezb) adopted CVE-2025-32432 as a primary initial access vector for its automated attack campaigns. Mimo exploits vulnerable Craft CMS instances to deploy:

  • Cryptocurrency miners (typically XMRig for Monero mining using victim server resources)
  • Residential proxy malware β€” enrolling compromised servers into residential proxy networks for later sale or use in other attacks

The automated nature of Mimo’s exploitation means that any publicly accessible unpatched Craft installation is at significant risk of automated compromise, not just targeted attacks.

Why This Matters Beyond Crypto Mining

While Mimo’s current activity focuses on cryptomining and proxies, a maximum-severity unauthenticated RCE in a CMS platform has broader implications:

Data access: Craft CMS connects to databases containing user data, media assets, and configuration files. Initial compromise may expose database credentials and connection strings, granting access beyond the webserver itself.

Webserver pivot: A compromised Craft CMS instance running on shared hosting or in a cloud environment may have network access to adjacent services or internal VPCs that are not directly internet-exposed.

Defacement and integrity attacks: An attacker with code execution can modify website content β€” a significant risk for government, financial services, and media organisations whose websites carry implicit trust.

Credential harvesting: CMS admin credentials, API keys for integrated services, and cloud provider credentials stored in the Craft configuration files are all accessible after exploitation.

  1. Update Craft CMS immediately to version 3.9.15, 4.14.15, or 5.6.17 depending on your major version branch
  2. Audit all Craft CMS installations across your web hosting, including development and staging environments β€” these are frequently overlooked during patch cycles
  3. Check web server logs for indicators of Mimo activity: unusual PHP execution patterns, outbound connections to mining pool addresses, unexpected cron job creation, or new files in web-accessible directories
  4. Rotate database credentials and API keys stored in Craft’s .env configuration file on any installation that was publicly exposed in an unpatched state
  5. Verify file integrity on Craft installations: compare installed files against a clean version checksum to detect any backdoors or malicious files planted during exploitation
  6. Apply principle of least privilege: Craft CMS web processes should not run as root and should have minimal filesystem permissions β€” this limits the blast radius of exploitation if a future vulnerability is exploited before patching