CVE-2025-32432
KEV
🔴 Łataj teraz
Zdalne wykonanie kodu w Craft CMS umożliwia atakującym przejęcie kontroli nad systemem.
CVSS
10.0
EPSS
89.4%
Exploit
weaponized
Vendor
craftcms
Opis źródłowy (NVD)
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
exploit rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 10.0 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 89.4% |
| Opublikowano (NVD) | 2025-04-25 15:15:36 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-20 19:14:20 UTC |
Referencje
- https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical (security-advisories@github.com) [Release Notes, Product]
- https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical (security-advisories@github.com) [Product, Release Notes]
- https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical (security-advisories@github.com) [Product, Release Notes]
- https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47 (security-advisories@github.com) [Patch]
- https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 (security-advisories@github.com) [Vendor Advisory]
- https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/ (134c704f-9b21-4f2e-91b3-4a467353bcc0) [Exploit, Press/Media Coverage]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]