Critical Code Injection Vulnerability in Craft CMS Actively Exploited
A critical security flaw has been identified in Craft CMS, a widely used content management system, posing significant risks to organizations worldwide. The vulnerability, designated as CVE-2025-32432, has been added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA) following confirmed active exploitation in the wild. Security teams and system administrators are urged to address this issue promptly to prevent severe network compromises.
Understanding the Vulnerability
CVE-2025-32432 is a severe code injection flaw categorized under CWE-94, which pertains to the improper control of code generation. This type of weakness occurs when a software application fails to properly sanitize or validate user-supplied input before interpreting it as executable instructions. In the context of Craft CMS, this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code directly on the underlying server.
Craft CMS is renowned for its flexibility and customization capabilities, making it a popular choice among enterprises for managing website content. However, this very flexibility can become a double-edged sword if security vulnerabilities are not promptly addressed. The identified flaw enables attackers to inject malicious code into the system, which can then be executed with the privileges of the Craft CMS application.
Potential Impact of Exploitation
Once an attacker successfully exploits this vulnerability to achieve remote code execution, they can gain complete control over the affected application. This level of access allows threat actors to modify website content, exfiltrate sensitive database records, or establish a persistent backdoor for future access. Furthermore, a compromised web server can serve as a strategic launching point for lateral movement within an organization’s internal network, potentially leading to further system compromises and data breaches.
The addition of CVE-2025-32432 to the KEV catalog on March 20, 2026, signifies that threat actors are actively leveraging this flaw in real-world attacks. At this time, it remains unclear whether this specific vulnerability is being utilized in ongoing ransomware campaigns. However, code injection and remote code execution vulnerabilities are highly sought-after by threat actors, including state-sponsored groups and initial access brokers. Organizations relying on Craft CMS must treat this as a high-priority threat.
Mitigation Measures
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies are legally mandated to remediate this vulnerability to protect federal networks. CISA has established a strict compliance deadline of April 3, 2026, for federal agencies to apply the necessary mitigations. While this directive applies specifically to government entities, CISA strongly urges all private-sector organizations and global enterprises to adopt the same aggressive patching timeline.
System administrators are advised to immediately apply the latest security updates provided by the vendor. Regularly monitoring web access logs for any anomalous behavior or unauthorized administrative access attempts is also crucial. If applying the official patch is not immediately feasible, organizations should follow applicable cloud service security guidance or temporarily discontinue the use of the vulnerable product until secure mitigations are in place.
Broader Context of CMS Vulnerabilities
The exploitation of vulnerabilities in content management systems is not an isolated incident. Similar critical flaws have been identified in other platforms, underscoring the importance of proactive security measures.
XWiki Platform Injection Vulnerability
In October 2025, CISA issued an urgent warning about a severe injection vulnerability in the XWiki Platform, designated as CVE-2025-24893. This flaw allows unauthenticated attackers to execute arbitrary remote code, posing significant risks to organizations using the open-source wiki software. The vulnerability stems from improper handling of user input in the SolrSearch endpoint, classified under CWE-95 for improper neutralization of directives in dynamically evaluated code. Any guest user can send a crafted request to trigger code execution. The impact is devastating: complete remote code execution undermines confidentiality, integrity, and availability. Attackers could steal data, deploy malware, or pivot to other systems. Affected versions include those prior to the patches, primarily impacting enterprise users in education, government, and corporate sectors who rely on XWiki for internal knowledge bases.
Control Web Panel OS Command Injection Vulnerability
In November 2025, CISA issued a critical warning regarding a dangerous OS command injection vulnerability affecting Control Web Panel (CWP), formerly known as CentOS Web Panel. The vulnerability, tracked as CVE-2025-48703, enables unauthenticated remote attackers to execute arbitrary commands on vulnerable systems with minimal prerequisites. CVE-2025-48703 represents a significant security risk because it allows attackers to bypass authentication requirements entirely. The flaw resides in the file manager changePerm request functionality, where malicious shell metacharacters are injected into the t_total parameter, triggering remote code execution. What makes this vulnerability particularly concerning is that attackers need only knowledge of a valid non-root username to exploit it successfully. This relatively low barrier to entry means threat actors can systematically target exposed CWP installations without specialized access or credentials.
Sitecore CMS Code Execution Vulnerability
In March 2025, CISA added two critical Sitecore CMS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerabilities, CVE-2019-9874 and CVE-2019-9875, both affect the Sitecore.Security.AntiCSRF module and could allow attackers to execute arbitrary code on vulnerable systems. CVE-2019-9874, with a CVSS score of 9.8, represents a severe security risk as it allows unauthenticated attackers to exploit a deserialization vulnerability to achieve remote code execution. The exploit focuses on tampering with the __CSRFTOKEN HTTP POST parameter by injecting a maliciously crafted serialized .NET object. The second vulnerability, CVE-2019-9875 (CVSS 8.8), affects the same module but requires authentication. While this presents a higher barrier to entry, the attack’s simplicity and potential impact remain significant. Once logged in, threat actors can weaponize the same deserialization vector to hijack the server.
Conclusion
The active exploitation of CVE-2025-32432 in Craft CMS serves as a stark reminder of the critical importance of timely vulnerability management and patching. Organizations must remain vigilant, regularly update their systems, and implement robust security practices to safeguard against such threats. The broader context of similar vulnerabilities in other content management systems further underscores the need for a proactive and comprehensive approach to cybersecurity.
