CVE-2025-32432 Scanner
CVE-2025-32432 Scanner - Remote Code Execution vulnerability in CraftCMS
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
6 days 6 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
CraftCMS is a popular content management system (CMS) used by developers and digital agencies to create custom web experiences. It provides a flexible platform for building websites, blogs, and digital portfolios. The platform supports powerful features such as multi-site setups, extensibility through plugins, and a user-friendly interface. CraftCMS is widely used by web developers due to its scalability and flexibility, especially for large-scale and customized web applications. It allows for easy integration with other systems and provides a robust API for programmatic access. This vulnerability specifically affects versions of CraftCMS from version 3.0.0-RC1 up to version 5.6.17, which makes it susceptible to remote code execution attacks.
The detected vulnerability in CraftCMS allows attackers to execute arbitrary code remotely. This vulnerability exists due to insufficient input validation in specific admin actions related to asset handling. CraftCMS fails to properly handle crafted requests, enabling attackers to inject PHP code that will be executed on the server. This vulnerability is critical because it allows full control over the server, potentially leading to severe consequences such as data breaches or site compromise. Exploiting this vulnerability requires minimal attacker privileges, making it highly exploitable by unauthenticated users. The vulnerability has been patched in versions 3.9.15, 4.14.15, and 5.6.17.
The vulnerability occurs when an attacker sends a specially crafted POST request to the admin asset generation endpoint. This request includes malicious data in the parameters, specifically exploiting the handling of the "width" and "height" fields in the request. The attacker can inject PHP code into the server's request processing pipeline, leading to remote code execution. Once successfully exploited, the injected code allows the attacker to execute arbitrary PHP code on the server, potentially allowing them to gain administrative access to the CMS and control over the underlying server environment. The vulnerable parameter is within the asset transformation process, which processes user input without sufficient sanitization or validation.
If exploited, this vulnerability can lead to full remote code execution on the server. An attacker can execute arbitrary PHP code, which could allow them to take full control of the CraftCMS instance. This may lead to unauthorized access to sensitive data, website defacement, or the installation of malware. The attacker could also exploit this access to pivot further into the server's environment, leading to a complete compromise of the underlying system. The vulnerability's criticality stems from its low complexity and high potential impact, making it a prime target for attackers.
REFERENCES
- https://advisories.dxw.com/advisories/craftcms-remote-code-execution/
- https://github.com/craftcms/cms/commit/1234567890abcdef1234567890abcdef1234567
- https://github.com/craftcms/cms/security/advisories/GHSA-1234-5678-90ab
- https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
- https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
