Headline
GHSA-f3gw-9ww9-jmc3: Craft CMS Allows Remote Code Execution
Impact
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.
Details
https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
References
https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915—2025-04-10-critical https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415—2025-04-10-critical https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617—2025-04-10-critical
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
Credits
Credit to Orange Cyberdefense for discovering a reporting this bug.
Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.